Under certain circumstances, users accounts may be able to see content that they should not have access to based on permissions defined within the Runbook Designer when that content is provided via the Web Service.
When a limited access user logs in via the web console, they can gain the same group token that was created for a previously logged in user if they have common group memberships as another user that logged in.
A supported hotfix is now available from Microsoft. However, it is intended to correct only the problem that this article describes. Apply it only to systems that are experiencing this specific problem.
To resolve this problem, contact Microsoft Customer Support Services to obtain the hotfix. For a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft Web site: http://support.microsoft.com/contactus/?ws=support
User A does not have rights to certain Runbooks, while User B does. When User A logs into the Orchestrator Console before User B does, he sees only the root folder as expected. The subfolder is not visible. User B then logs into an Orchestrator Console - on a different computer or the same computer. User B can see the subfolder, as expected. User A then refreshes their console - they can now see both the root AND the subfolder, which they should have not permission to see.