Customizing System.Web.Http.AuthorizeAttribute within asp.net web api application

I'd like to customize System.Web.Http.AuthorizeAttribute class like this :

 public class MyAuthorizeAttribute : System.Web.Http.AuthorizeAttribute
    {

        public PermissionsEnum IsPermitted { get; set; }


        protected override bool IsAuthorized(HttpActionContext actionContext)
        {
            if (System.Web.HttpContext.Current.Session["Role"] == null) return false;
            string rol = (string)System.Web.HttpContext.Current.Session["Role"];

            if (rol == "Admin" || Roles == "Super Admin") IsPermitted = PermissionsEnum.Administration;
            else IsPermitted = PermissionsEnum.Collaboration;
            return base.IsAuthorized(actionContext);
        }
    }

  [Flags]
    public enum PermissionsEnum
    {
        Administration,
        Collaboration
    }

I used it in controller :

[MyAuthorizeAttribute(IsPermitted = PermissionsEnum.Administration)]
    public class PointageController : Controller
    {
        public ActionResult GraphesEtStatistiques()
        {
            return View();
        }
         [MyAuthorizeAttribute(IsPermitted = PermissionsEnum.Administration)]
        public ActionResult Pointage()
        {
            return View();
        }
        public ActionResult Parametrage()
        {
            return View();
        }
        public ActionResult GetMessages()
        {
            MessagesRepository _messageRepository = new MessagesRepository();
            return PartialView("_MessagesList", _messageRepository.GetAllMessages());
        }
    }

My problem is that I can access to the Pointage view even IsPermitted=PermissionsEnum.Collaboration !!!! .

So :

1. What is the reason of this problem?
2. How can I fix it?