I have been asked the same question a few times in the last few weeks about custom actions in SharePoint and how to hide or show them depending on the user's identity. This information is spelled out in the SDK but I haven't seen much of it written in blogs, etc so I just thought I would post a quick summary.

From the SDK, you can find that the schema for defining a custom action is as follows:

<CustomAction
  ContentTypeId = "Text"
  ControlAssembly = "Text"
  ControlClass = "Text"
  ControlSrc = "Text"
  Description = "Text"
  GroupId = "Text"
  Id = "Text"
  ImageUrl = "Text"
  Location = "Text"
  RegistrationId = "Text"
  RegistrationType = "Text"
  RequireSiteAdministrator = "TRUE" | "FALSE"
  Rights = "Text"
  Sequence = "Integer"
  ShowInLists = "TRUE" | "FALSE"
  ShowInReadOnlyContentTypes = "TRUE" | "FALSE"
  ShowInSealedContentTypes = "TRUE" | "FALSE"
  Title = "Text">
</CustomAction>
The key to security trimming your custom action is the Rights attribute. This attribute allows you to specify SharePoint permissions that the user must have for the action to be visible. This can be a comma delimited list. For example:
"ViewListItems,ManageAlerts" 
When more than one value is specified, the set of rights are treated with an AND. This means the user must have all of the specified rights for it to be visible. Here is a list of the valid Microsoft.SharePoint.SPBasePermissions you could use:
http://msdn2.microsoft.com/en-us/library/microsoft.sharepoint.spbasepermissions.aspx