On the Security tab, you can configure security options for the currently edited widget. By default, all widgets are forbidden for all zone types and are allowed for authorized roles only. However, no authorized role is selected by default. It is up to the developers to allow the widget for a specific type of zone and role.
Please keep in mind that changing the security settings will affect new widgets only. If a user was allowed to add a widget and an administrator later removes this permission, the user can still see the widget on their page. However, once deleted, the widget cannot be added back to the page without allowing it in the Security tab of that particular widget.
More resources can be found at: