The K1000 8.0 permission changes prevent users in a limited sub-admin role from adding out-of-scope devices/labels to a patch schedule. It also prevents them from running these schedules.

The user can however still view these patch schedules and remove/modify them. It would be better if any schedule containing an out-of-scope device/label were simply hidden from the user. This would prevent them from accidentally, or intentionally, deleting or breaking an existing schedule.

Alternatively, allow specific patch schedules to be restricted based on role setting.