To control what kinds of users can see and do what, you need to authenticate the users. See how to add user authentication to an application.
Once a user has been authenticated you may contol what he can see and do by overriding the check.. methods of on SecurityManager in your root class folder or on a copy in an application class folder. Just write the necessary rules in the overriding methods and let them return an appropriate error message if the user is not authorized. You may use one of the standard error messages from the getMessage.. methods inherited from PntSecurityManager.
PntSecuritymanager also implements default authorization in check.. methods on a detailed level by calling corresponding check methods on a broader level. For example it will call from so that if you deny certain users access to a domain folder it will deny those users access to all domain classes in that folder. Read the implementation of these methods in to see what are the defaults and read their comments to learn about their limitations.
Currently the default pages and actions support authorization by application and by domain model type. For more detailed control over what users can see and do, for example by hiding some parts of a page, buttons or widgets, and controlling the processing of individual fields by SaveActions, you will need to override individual page, part and/or action classes and add custom code for checking user rights. Also see how to specialize a part of a page.