When a new widget is created from an existing web part, all the attributes are hidden in the editing form. It is up to the widget creator to select attributes which would be available for customization using check boxes in the Properties tab.
The security options are defined in the Security tab. By default, all widgets are forbidden for any zone and are allowed for authorized roles only. However, no authorized role is selected by default. It is up to the developer to allow the widget for a specific type of zone and role.
Please keep in mind that changing the security settings will affect new widgets only. If a user was allowed to add a widget and an administrator has forbidden this right, the user can still see the widget on their page. However, once deleted, the widget cannot be added back to the page without allowing it in the Security tab of that particular widget.
Page url: http://devnet.kentico.com/docs/devguide/index.html?widgets_security.htm