I believe the security settings for pages only work when used in navigation… In this case, the security of the microflow allows admin to perform this action, so the admin can see the page…
5 Entity Access vs. Page Access
Per entity you can specify who can read or write what members (attributes and associations) under what circumstances. Using XPath constraints you can express powerful security behavior; for example, “an employee can only see orders created by the department he is a part of”.
Per page you can specify who can open it from navigation. The menu bar is optimized so that only pages that the user has access to are visible.
A combination of entity access and a page access is necessary because entities can also be accessed from microflows and custom widgets. Furthermore, you can express more advanced security through entity access.
Please check your app security user role section for Administrator – You would have mapped module role – ‘user’ to Administrator.
No , I mapped Administrator to admin