In the security role assigned to a given user, you can remove read access to an entity. Without read access, they will not see it in the navigation. Also note that a user gets the greatest of all permissions assigned - so it they have multiple roles assigned or belong to a team that still has read access, they user will still see the records. There is not explicit "deny" priviledge.
↧