My goal with SSISDB catalog's folders is to limit users to only a certain folder, but inside that folder they're essentially admins. I don't want them to have any permissions whatsoever on other folders. Seemed easily doable via folder permissions, right? Well, I didn't manage to achieve that, despite user's login (a group he was a member of) having all permissions on a folder. The only thing that helped was ssis_admin role on SSISDB database, but that is of course not ideal, since then the user has permissions on all folders.
Bug or am I missing something / doing something wrong?
- Put a user into a Windows group (this might be the problem, a login for a single user worked fine).
- Create a login L for the group.
- Create a user for this login in SSISDB database (public role only).
- Create folder X in SSISDB catalog.
- Give login L all permissions on folder X (read, modify...). Do not make L a member of ssis_admin role on SSISDB database.
User can't see the folder in SSMS GUI (or catalog.folders view), not unless I make his login a member of ssis_admin role on SSISDB database.
As I mentioned above: I tried this repro with a login for single AD user (not a group!) and had no problem there!