You didn't specify what version of ASP.NET you are using. For ASP.NET MVC (not Core) it is documented here. In general you will globally configure authentication. For controllers (or actions) that require different rules you'll use the Authorize attribute on the controller/action to specify the role(s) you need for that specific action/controller. If anyone needs access then you'll use AllowAnonymous instead. If your site mostly is for unauthenticated users then you would simply apply the Authorize
attribute to the controllers/actions that need it. In general it is recommended that you isolate your controllers such those needing security are separate from those that don't.
For ASP.NET Core it is a similar process but APIs and MVC controllers are combined into one. Here's the article on implementing role-based in ASP.NET Core.
If you are using WebForms then the process is different. Security is configured in the web.config using the location
elements.