When several destinations use the same security settings, you should define one security constraint in the security section of the services configuration file and refer to it in each destination (global security constraints).
Security constraint can be declared in a destination definition too (inline).
Additionally, you can access the values of the principal object directly by reading the current thread or HttpContext principal
and perform checks with the use of IsInRole method to perform authorization
IPrincipal principal = HttpContext.Current.User;
if ( principal.IsInRole("admin") )
{
...
}