Hi David,

Follow Daniel recommendation on the below thread-

https://world.episerver.com/forum/developer-forum/-Episerver-75-CMS/Thread-Container/2017/10/how-to-give-a-user-access-rights-to-view-an-unpublished-content-in-the-edit-mode-with-read-only-premissions/

More info on access rights-

https://webhelp.episerver.com/14-1/en/Content/EN/CMS%20Admin/Admin_AccessRightsTreeStructure.htm

A user needs to be in the webeditors group to login to the editor, that's the base group. Add the user to that and then your own group to lock down permissions

I can't see that WebEditor group anywhere. And no user is a member of the group from what I can see, even those that have access.

I do have a custom group that when I add a user to it the user will have access. But that will give the user "full" access (view, create, update, delete), which is not what I want.

The out of the box configuration for Episerver with AspNet Identity is to have 3 roles WebEditors (edit access), WedAdmins (admin access) and Administrators (also admin access but some packages specifically require this). You'll then having them mapped to virtual roles configured in the web.config and then in the editor and admin sections of the web config they'll be listed as having the appropriate access. However this can all be modified so you need to check what virtual roles you have set up in the web.config and what the sections are applied to for access.

Example from Alloy for the virtual role configuration

    <virtualRoles addClaims="true">
      <providers>
        <add name="Administrators" type="EPiServer.Security.WindowsAdministratorsRole, EPiServer.Framework" />
        <add name="Everyone" type="EPiServer.Security.EveryoneRole, EPiServer.Framework" />
        <add name="Authenticated" type="EPiServer.Security.AuthenticatedRole, EPiServer.Framework" />
        <add name="Anonymous" type="EPiServer.Security.AnonymousRole, EPiServer.Framework" />
        <add name="CmsAdmins" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebAdmins, Administrators" mode="Any" />
        <add name="CmsEditors" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebEditors" mode="Any" />
        <add name="Creator" type="EPiServer.Security.CreatorRole, EPiServer" />
      </providers>
    </virtualRoles>

Then the restricitons in the location paths

<location path="EPiServer">
    <system.web>
      <httpRuntime maxRequestLength="1000000" requestValidationMode="2.0" />
      <pages enableEventValidation="true" enableViewState="true" enableSessionState="true" enableViewStateMac="true">
        <controls>
          <add tagPrefix="EPiServerUI" namespace="EPiServer.UI.WebControls" assembly="EPiServer.UI" />
          <add tagPrefix="EPiServerScript" namespace="EPiServer.ClientScript.WebControls" assembly="EPiServer.Cms.AspNet" />
          <add tagPrefix="EPiServerScript" namespace="EPiServer.UI.ClientScript.WebControls" assembly="EPiServer.UI" />
        </controls>
      </pages>
      <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
      <authorization>
        <allow roles="WebEditors, WebAdmins, Administrators" />
        <deny users="*" />
      </authorization>
    </system.web>
    <system.webServer>
      <handlers>
        <clear />
        <add name="AssemblyResourceLoader-Integrated-4.0" path="WebResource.axd" verb="GET,DEBUG" type="System.Web.Handlers.AssemblyResourceLoader" preCondition="integratedMode,runtimeVersionv4.0" />
        <add name="PageHandlerFactory-Integrated-4.0" path="*.aspx" verb="GET,HEAD,POST,DEBUG" type="System.Web.UI.PageHandlerFactory" preCondition="integratedMode,runtimeVersionv4.0" />
        <add name="SimpleHandlerFactory-Integrated-4.0" path="*.ashx" verb="GET,HEAD,POST,DEBUG" type="System.Web.UI.SimpleHandlerFactory" preCondition="integratedMode,runtimeVersionv4.0" />
        <add name="WebServiceHandlerFactory-Integrated-4.0" path="*.asmx" verb="GET,HEAD,POST,DEBUG" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="integratedMode,runtimeVersionv4.0" />
        <add name="svc-Integrated-4.0" path="*.svc" verb="*" type="System.ServiceModel.Activation.ServiceHttpHandlerFactory, System.ServiceModel.Activation, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="integratedMode,runtimeVersionv4.0" />
        <add name="wildcard" path="*" verb="*" type="EPiServer.Web.StaticFileHandler, EPiServer.Framework.AspNet" />
      </handlers>
    </system.webServer>
  </location>
  <location path="EPiServer/CMS/admin">
    <system.web>
      <authorization>
        <allow roles="WebAdmins, Administrators" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>

The point with these roles is they are the base roles, so you need to work out what your default role is and apply minimum permissions so you can layer more complex group permissions on top. 

also you said admin in your first post. Did you mean Admin or did you mean the episerver editor as I've assumed you mean the editor not the admin.

You are correct Scott, I meant editor (I'm new to episerver so I haven't grasped the terminology used yet).

So I found this in Web.config:

<virtualRoles replacePrincipal="true">
	<providers>
		<add name="Administrators" type="EPiServer.Security.WindowsAdministratorsRole, EPiServer.Framework"/>
		<add name="Everyone" type="EPiServer.Security.EveryoneRole, EPiServer.Framework"/>
		<add name="Authenticated" type="EPiServer.Security.AuthenticatedRole, EPiServer.Framework"/>
		<add name="Anonymous" type="EPiServer.Security.AnonymousRole, EPiServer.Framework"/>
		<add name="PackagingAdmins" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebAdmins, Administrators" mode="Any"/>
		<add name="CmsAdmins" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebAdmins, Administrators" mode="Any"/>
		<add name="CmsEditors" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebEditors" mode="Any"/>
		<add name="Creator" type="EPiServer.Security.CreatorRole, EPiServer"/>
		<add name="SearchAdmins" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="Administrators, WebEditors, CustomRole"/>
	</providers>
</virtualRoles>

And this:

<location path="EPiServer">
	<system.web>
		...
		<authorization>
			<allow users="TestUser" roles="WebEditors, WebAdmins, Administrators, CustomRole" />
			<deny users="*" />
		</authorization>
	</system.web>
	...
</location>
<location path="EPiServer/CMS/admin">
	<system.web>
		<authorization>
			<allow users="TestUser" roles="WebAdmins, Administrators, CustomRole" />
			<deny users="*" />
		</authorization>
	</system.web>
</location>
<location path="Plugins">
	<system.web>
		<authorization>
			<allow users="TestUser" roles="WebAdmins, Administrators, CustomRole" />
			<deny users="*" />
		</authorization>
	</system.web>
</location>

This all works fine for the current users, but I still don't really understand how I can give this new user the right to view but not actually do anything (create, change, delete). It's fine if the user is able to see everything, so there no need to restrict access to certain areas.

Thank you for your patience Scott, I really appreciate it!

What permissions do you have set in the permissions viewer in the episerver admin WebEditors and CustomRole for your site?

Usually the standard is just to have WebEditors setup for the EPiServer location path

<allow users="TestUser" roles="WebEditors, WebAdmins, Administrators, CustomRole" />

Then you'd make sure you have the 3 groups in the admin and users with editor access added to WebEditors. You'd make sure WebEditors is light say only read access and then layer on extra permissions in the admin system for extra permissions.

As you have CustomRole here and no indication of the standard groups in the admin this sounds like someone setup some sort of hyrid role to access all parts of Episerver which is not best practice. I assume also CustomRole has high permissions which means you'll not be able to change this users permissions and the permissions are layered together, you can't dely permissions once they are set. The purpose of layering these permissions from the ground up is to create a structure to allow you to progressivly add permissions where needed around roles in the CMS.