We have users that make maps using desktop software, which are then published to our portal (federated environment). Their publishing rights are controlled through publisher roles that are configured within the portal site. When they publish services, they have the ability to publish anywhere on server - which is explained in this server documentation:
"If a role's type is set to either Administrator or Publisher, that role automatically gets implicit access permission to all GIS web services hosted on the ArcGIS Server site. This implicit permission cannot be overridden by changing the permissions on a service or folder."
This is problematic as services get published all over the server, including in the root. Because this happens behind the scenes, users are often not aware of where their services ended up on the server - making maintenance, clean up, and troubleshooting of services difficult and time consuming. Our support team currently has to monitor each folder for any services that do not belong there, manually look up the owner in portal, reach out, help them publish again into the correct location, and then delete the original from the wrong location.
We would like the ability to enforce publishing locations on the server so that we can eliminate these extra steps and keep everything "behind the scenes" clean and organized.