1. ... is listed in your Users report (Reports --> Users).
2. ... has an email address.
3. ... has a checkmark in the "Authorized" column.

As the administrator of your website, you are responsible for deciding which users are authorized and which are not.  You can check or uncheck the Authorized column for any of your users to grant or revoke access to the online directory (and other restricted resources).  Keep in mind that there are no restrictions on who can create a user account on your website.  Anybody in the world with a smartphone has the ability to create a password-protected user account with an email address on your website.  They could even add students into their accounts to make it appear that they are parents at your school.  But, by default, all users are unauthorized.  So it is up to you, the administrator, to ensure that authorization is only given to legitimate community members.  There are two ways to authorize your users:  Manual Authorization and Self Authorization.

Manual Authorization

Manual authorization involves going to your Users report and checking the "Authorized" box for those users who are legitimate community members and ought to be able to access the online directory.

One good criteria to use when authorizing your community members is to authorize anyone who has placed an order through the website and paid for it.  The payment might have been through check or credit card, but the fact that a payment has been made (for things like a PTA membership, a yearbook, etc.) is a relatively good indication that the person is legitimate.  And generally, you can safely authorize any family members of that person as well.  To easily authorize all users (and their family members) who have paid for items on your website, ...

1. Go to Reports --> Users.
2. Click the filter dropdown, and choose "Product ordered by family".
3. Configure the filter as appropriate for your situation.  The first box should read "ordered (paid for) a".  In the other two boxes, choose a product or group of products that you feel would safely qualify someone to become authorized.  Press apply.  This will filter your users list to just those who have paid for the item you specified.
4. To easily authorize this full list of users, click the checkbox in the header for the Select column.  
5. Then, click the pencil icon  in the header for the Authorized column.  Set the "Authorized" field to "Yes", and press OK.

The above will generally work for a large portion of your users.  But there will inevitably be many other users who have never paid for anything your website, and who are still legitimate community members who need access to the online directory.  For these users, you should get an official list of parent names and student names from your school's office, and go through them one by one, verifying them against the official list before marking them as Authorized.

Self Authorization

You can set an authorization code (similar to a password) such that users can authorize themselves by entering the correct code.  If you choose to use this method of self authorization, there are important precautions to take to ensure the security of your website and online directory:

• Choose an authorization code that cannot be guessed.  As tempting as it may be, do not use your school colors, school mascot, or the current school year as part of your authorization code (e.g., "GoBulldogs2013!").  These types of codes are very common and too easy to guess.
• Do not post your authorization code in a newsletter or web page that may be available on the internet.
• Do not send your authorization code out via email, unless you are certain that your email list contains only legitimate community members.  Many schools have their own electronic news distribution lists, but in some cases, it is very easy for people outside of the community to add themselves to the distribution list.
• DO communicate your authorization code to the parents in your community by sending home a paper flyer with each student.

If you choose to use an authorization code to allow parents to self authorize their accounts, then once they enter the correct authorization code, their account will be permanently authorized and they will not need to enter the authorization code in the future.  From then on, they only need to sign in with their own email address and password to access the online directory.  As an administrator, you still have full control over granting or revoking somebody's authorization by visiting Reports --> Users.