The way it currently works in 10.x is if you assign the Manage Configuration Items capability to any role they are able to modify any CI that belongs to any role. We have many groups in our organization that need to be able to modify their own System accounts and system properties but ONLY those that apply to their own role. They should NOT be able to modify CIs that belong to other roles.
This new version takes away much of the granularity that existed in 9.x and does not account for what could be considered multi-tenancy. Meaning so many of the capabilities you can apply are ALL or NOTHING for all roles.
It needs to be changed so that any capability you add to a role is only functional or applies to that specifics role content, CIs, and any other related aspects. This is turning into an administration nightmare having to manage all the different components for over 50+ teams we have using the tool! The problem is if we add Manage Configuration Items to one role they are then able to make changes to any of the items that do not apply to their content and we cannot have Team A being able to modify Team Bs content/items and vice versa.
Please investigate and see what can be done as a solution to this issue.