If you want to unit test (test in isolation) you have to

• test permissionLogic and you have to
• test that your contrologic (i.e. MVVM) uses the permission logic.

Test SecurityManager for permissionLogic

you can extract the permissionLogic to a class of its own with methods

public class SecurityManager
{
 bool IsAllowedToPrint(User user);
 bool IsAllowedToAdminister(User user);
}

then you write unit tests

 User user = CreateAdimistrator();
 Assert.AreEqual(true, securityManager.IsAllowedToAdminister(user));

Contrologic (i.e. MVVM) uses permission logic

create a mock-SecurityManager that always allow/disallow functionality. and write unit tests for the controller if it reacts as expected.

var allowEverythingMock = CreateSecurityManagerMockThatAllowsEverything();
var mvvm = CreateMvvm(allowEverythingMock );
Assert.IsNotNull(mvvm.GetAdminGui());

I am not shure if there is an easy way to create an integration-test where Click-Once-App actually uses the real SecurityManager and the result gets verified.

Update after getting more infos on what the goal is

write unit tests for the controller if it reacts as expected.

var controller = CreateCreate(Permission.Low);

try
{
   // File io is not allowed with low permissions
   controller.SaveTextAsFile("HellowWorld", @"c:\temp\UnittestResult.txt");
   Assert.Fail("The Controller should have forbidden this");
} catch(PermissionException pex) {
   // everything is ok. This specific exception was expected.
}