Site security is all about preventing people from seeing what they are not permitted to see.

This doesn't simply mean providing a log-in or error when they click on a link to a page they shouldn't access, but, wherever possible, they should even know that the page exists at all.

For this reason, the site automatically creates the navigation links - dropdown, fly out menus, etc - and when it creates these links, it considers the set of usergroups that that particular user is a member of, and only includes those pages that they are permitted to see.

Of course, the security is not simply a matter of hiding links: if the user guess the url for a page they weren't permitted to see they still wouldn't get in, but would be presented with a login page.