This section is used to grant or deny access to users to sub-menus (or pages) based on their role. For example, you may only want authenticated users within specific roles to have access to the Create Invoice page.
The page is defined in the <location path/> setting and is set up by default during installation.
The <allow roles> setting determines which roles are authenticated to access the page.
The <deny users> setting ensures that all users other than ones assigned to one of the roles listed in the <allow roles> section are not allowed access to the page. Both entries are required. This setting can be set to "*" which means deny everyone or "?" means deny unauthenticated users.
<location path="ViewAggregators/DataEntry/CreateInvoice.aspx">
<system.web>
<authorization>
<allow roles="Vendor Admin, VP Admin"/>
<deny users="?" />
</authorization>
</system.web>
</location>