A while ago I talked about navigation and security trimming in ASP.NET 2.0, and someone asked about this on as ASPAdvice list. Luckily a couple of the team members (thanks Ting-Hao and Stefan) stepped in to correct a few misconceptions. The <authorization> section of web.config controls who has access to the page, and this is the case whether or not security trimming and site maps are being used; it protects against direct url access and controls user and role based access. When using the site maps and a navigation control, then the menus are built using this information too - so if a user isn't authorized for a page then the node isn't displayed (in fact it's not even returned from the provider to the UI). The use of the roles attribute on the siteMapNode elements doesn't affect the authorization, it simply affects whether the item is shown on the menu. The reason for having control here is that it allows menu items to show even if the current user doesn't have access to that page. They can select the menu item, but if not authorized then they'll be redirected to the login page. This is useful for people who wear multiple hats, and have multiple logins; the UI can be the same while they are logged into a low privilege account, and trying to access a priviliged page will prompt them to log in. So unless you need this feature, the only thing you need to do to set the visibility of menu items is to restrict their access via the <authorization> section.