In an environment where there's one tenant and multiple system folders for different departments. The problem is when a new agent is built, the user building the agent has access to few other departments’ system folders through the "Selected Path" pull down option and can view and make changes to other department’s contents. The user has Supervisor access just for their department folder and has “Basic” access to the tenant folder. The only reason the user has “Basic” access to the tenant folder is because he must have access to the Peripheral resource to create new agents. If the user does not have “Basic” access to the tenant folder, they they're not able to see other departments (which gives the customer what they want), but then they are not be able to create new users (without the basic access to the tenant folder).
See screen shot shows how user is able to access the other departments’ system folders.
In order to restrict the person from viewing other departments’ system folders or from making any changes, you need to create an isolated Peripheral. This means putting the Peripheral into a folder and giving “Basic” access to this folder and then removing the “Basic” access to the tenant. This should stop the user from being able to see the other departments but still be able to provision/create new agents.