Calling PermitOnly has essentially the same effect as calling Deny, but it is a different way of specifying the conditions under which the security check should fail. Instead of saying that a specified resource cannot be accessed (as Deny does), PermitOnly says that only the resource(s) you specify can be accessed. Therefore, calling PermitOnly on permission X is the same as calling Deny on all permissions except permission X. If you call PermitOnly, your code can be used to access only the resources protected by the permissions that you specify when you call PermitOnly.
You use PermitOnly instead of Deny when it is more convenient to describe what resources can be accessed instead of what resources can't be accessed.