Correct, use attributes.
I have a patch submitted that lets you pick the attributes to assign from your database (using a custom tsql function like you do to pull in the user list) if interested. Either that you when you build your permissions, you have to lookup your primary key of the class name and attach that to each authorization.
http://netsqlazman.codeplex.com/SourceControl/list/patches