In WCF, once you have your identity established you can create a demand for permissions against a roles server. So the permission is necessarily separate from the identity. In a smart client, where this demand is not available, do you cache a nugget for later use? If so, it freezes your abilities to the currently enrolled or demanded security. Considering the weight of most modern UI's, the ability to have the smart client detached and be able to track or validate any security bound method seems overly complex.
So here is my first blush at a hypothesis: an offline security manager can create a cache that is populated asynchronously by the startup of the client while online.
My assumptions are:
There is a coherent map of permissions that are bound to the functionality of the client.
There is at least one level of permissions that are fully enabled.
The smart client must start all permissions activities in a connected state.
Moving this security back to the client has two problems immediately apparent. More on those as I get further.