What does "allow" mean in site permissions?

Hi webbrewers,

Apologies for late reply!

If nothing was changed at permission level, I also tried to test from my side but there is no any other way a user with Read Permission can access Permission settings.

However, it is possible that if that user belongs to any other group, or was shared a link with other Permissions like Edit, He can access these settings. Does that user have admin access?

Now, let us check what kind of Permissions this user has on a site: Go to Settings > Site Permissions > Advanced Permission Settings > Check Permissions > type the name of that user > Check Now.

Your patience and cooperation are highly appreciated.

Sincerely,

Edwine | Microsoft Community Moderator

No, nothing was changed at the permissions level. Read is the default read and a user in that group hasn't been granted additional permissions. Where else could the "allow" options be enabled?

Dear webbrewers,

Good day! Thank you for posting to Microsoft Community. We are happy to help you.

I went through your question and it seems you added a user to a site with Read permission in the Visitors group, but the user has access to Site Permissions!

Firstly, I tested this from my side, added a user to visitors group with Read Permission, and for sure, a user can't access Site Permissions, and can access the Site contents in read-only mode:

User with read access on a Site:

The same site, user with edit permission:

Now, to better understand your scenario, may I know how you added this user? and how did you give permission to this user? Did you modify the Read permission?

For me, to add this user, I clicked on the Settings icon > Site Permissions > Advanced Permissions Settings > Visitors > New > Add Users to this group > Entered the email address > Share.

Then this user received the invitation via his Outlook, clicked on the link to site and everything is read only.

Secondly, about your Allow, question I believe you refer to this:

Note: It is always advised not to edit the default permission Permission levels for groups that are created automatically:

For example, if you edit the "Read Permission" and allow Manage Permissions, that means you are allowing the user to have permission to manage Permissions. Please if you want a user to access site in read-only mode, just assign this "Read" permission and don't edit it to allow anything.

If you want to customize a Permission level, you can create another Permission and customize it and then assign it to users. But you have to be careful on the permissions you allow!

How to create a new permission level?

For example if you want to create a Permission level from "Read", under Permission Levels, click on Read > scroll down to the bottom and click Copy Permission Level >Give it a name >and then allow all the permissions that you want your users to have and finally click Create.:

After that, this permission will appear on the list of Permission levels, and you can add users and assign them this Permission to them.

If you had allowed " Manage Permissions" and "View Web analytics Data", please uncheck it because this means every user you will add and give them Read Permission, they will all manage permissions.

Thanks for your kind understanding and cooperation. I hope the above information helps!

With Sincerest Regards,

Edwine | Microsoft Community Moderator

The user isn't in any other groups either and this isn't a group connected site so the poorly designed duplication of permissions in group sites isn't a factor. Nothing was shared individually with the user either.