First, let's limit the access for normal users. This can be done easily at the API level using Spring Security. Add the following snippet to the configure method of src/main/java/com/mycompany/store/config/SecurityConfiguration.java.
Add it right before the line .antMatchers("/api/**").authenticated(). The position is very important:
.antMatchers("/api/customers").hasAuthority(AuthoritiesConstants.ADMIN)
.antMatchers("/api/product-categories").hasAuthority(AuthoritiesConstants.ADMIN)
We specify that when the request path matches api/customers or api/product-categories the user should have ROLE_ADMIN to access them. Now sign out and log in as user and try to access the customer entity page. Look at the console in your browser's development tools and you should see a 403 Forbidden error for calls made to GET http://localhost:9000/api/customers.
Now that our backend handles this properly let's hide these entries in the menu for normal users. Let's add a *jhiHasAnyAuthority="'ROLE_ADMIN'" directive to the elements for customer and product category in src/main/webapp/app/layouts/navbar/navbar.component.html.
Now only admin users will see these items on the menu.