There should be capability provided to the users which shows them which security role (or permission on the entity specifically) is missing along with the Error message which shows "Access is Denied"

Basic example - Lets suppose if any user is trying to access the Contact record and he doesn't have read privileges on contact entity, then there should be a message given on the Screen "Access is Denied" and the user doesn't have read privileges on msdyn_contact entity.