Add below in web.config of your web application with list of users and roles you want to give access to.
<authorization>
<deny users="*" />
<allow users="[comma separated list of users]" roles="[comma separated list of roles]" />
<deny users="[comma separated list of users]" roles="[comma separated list of roles]" />
</authorization>