1906 RBAC on folders needs to be optional.
SCCM 1906 introduced scopes on folders which would be fine for a new SCCM install but not for an existing SCCM infrastructure that relies heavily on RBAC. Users don't understand why they can't find folders others have created in 1906.
During upgrade from 1902 – 1902 SCCM automatically “fixes” all your folders so they behave just like they did with 1902. It does this be setting them with every security scope allowing users to still see these folders in 1906.
Once 1906 is installed any new folder is created with the scope of the user creating it.
SCCM 1902 - Geneva user with Geneva scope creates a folder in 1902 anyone could see the folder.
SCCM 1906 - Geneva user with Geneva scope creates a folder only users with Geneva scope will be able to see the folder and no other users causing mass confusion in the console.
If RBAC on folders was available when SCCM 1st came out years ago we could have designed RBAC accordingly.
MS can’t just introduce this mandatory “feature” on an SCCM environment that has been up for years without breaking/redesigning RBAC.
RBAC on folders should be something that can be turned off during the upgrade to keep 1902 folder behavior.
This has created a lot of issues for us as well. One possible improvement could be to allow new folders to inherit parent folder security scopes.
Doug Varner commented
I can see where some implementations changes could be made to default behaviors of what happens during the upgrade and post upgrade to allow different usage scenarios. That being said, understand the idea and think this has merit as a start.