I came across an inconsistency in Radzen.
When we change the access in page properties and give it say "Authenticated" and "Administrator", it is additive, the user needs to be both authenticated AND administrator.
But the IsInRole function, if we give it new String[] { "Authenticated", "Administrator" }, it needs to be either Authenticated OR Administrator for it to return true.
The behaviour was that Authenticated but non Administrator users were seeing the Users and Roles page links in the top menu because it had Visible="@Security.IsInRole(new string[]{"Authenticated", "Administrator"})" which is undesirable.
This code is auto-generated. As a quick fix I just removed the Authenticated role from access in page properties.
You need to set the role just to Administrator in this case as Authenticated is less restrictive.