Have you configured the virtual roles CmsAdmin and CmsEditors in EPiServerFrameWork.config? They are used for authorization in the mvc part of EPiServer.

What you mean "configured the virtual roles"?  EPiServerFramework.config looks correct -- I can see the virtual roles in there:

      <add roles="WebAdmins, Administrators" mode="Any" name="CmsAdmins" type="EPiServer.Security.MappedRole, EPiServer" />
      <add roles="WebEditors" mode="Any" name="CmsEditors" type="EPiServer.Security.MappedRole, EPiServer" />

What configuration needs to take place apart from them being in the file?

Are you using WebAdmins and WebEditors as groups for editors and admins? Otherwise you have to add your own roles to each virtual role in the roles attribute.

Now you're mapping WebAdmins and Administrators to the CmsAdmins roles and so on.

Also check if you have configured following paths in web.config correctly:

<episerver.shell>
		<publicModules rootPath="~/modules/" autoDiscovery="Minimal"/>
		<protectedModules rootPath="~/yourUI/">
			<add name="shell"/>
			<add name="cms"/>
		</protectedModules>
	</episerver.shell>

So, just to clarify --

Visitor Groups operates off the CmsEditors and CmsAdmins roles.

And the "EPiServer.Security.MappedRole" converts one role to another.  So this code...

      <add roles="WebAdmins, Administrators" mode="Any" name="CmsAdmins" type="EPiServer.Security.MappedRole, EPiServer" />
      <add roles="WebEditors" mode="Any" name="CmsEditors" type="EPiServer.Security.MappedRole, EPiServer" />

...is saying that the "WebAdmins" and "Administrators" roles are both also valid for the "CmsAdmins" role.  And the "WebEditors" role is also valid for the "CmsEditors" role.

Is that correct?

That's correct regarding "EPiServer.Security.MappedRole". And I hope Visitor Groups is using asp.net mvc and authorization rules, just like other parts of EPiServer Framework like Online Center and My Settings. 

Turns out groups on this server were a little different -- users weren't in the WebAdmins and WebEditors roles that were mapped to CmsAdmins and CmsEditors.  I changed the config of those MappedRoles, and we're good now.

Thanks Johan -- I appreciate the pointer on how access works for Visitor Groups.  Wouldn't have found it otherwise.

I'm glad I could help :)

In order to control visitor group access security list we discovered that you need to add missing virtual role in episerverframework.config file:

<add name="VisitorGroupAdmins" roles="{your roles here}" type="EPiServer.Security.MappedRole, EPiServer" mode="Any"/>

Great to find this, and thanks Valdis, your lien of code fixed it for me. But... We had to change the assembly in the setting so it look like this:

<add name="VisitorGroupAdmins" roles="{your roles here}" type="EPiServer.Security.MappedRole, EPiServer.Framework" mode="Any"/>

That I guess was for v6. Too old answer to match latest version :)

True Valdis, I saw what section it was on just after I pressed ok on my comment ;-)

I'm glad everyone has fixed their issues, but I would like to add a little clarification for future reference.

From http://world.episerver.com/documentation/items/developers-guide/episerver-cms/75/personalization/configuring-personalization/

"To access Visitor Groups in the global menu you must be a member of the access groups CmsAdmins or VisitorGroupAdmins, otherwise you will be prompted to a login page. If you want editors to be able to add, edit and delete visitor groups, you can provide access by adding them to VisitorGroupAdmins (CmsAdmins and CmsEditors are already defined in the configuration)."

The idea we had was that by default just admins would have access to the UI, but it could be modified by adding the VisitorGroupAdmins role.

And yes Johan, that is standrad asp.net roles, so you don't have to use the MappedRole configuration to add it. It can be managed like any role in the system.

Regards

Per Gunsarfs