since version 1906 SCCM supports role-based access control (RBAC) for folders. This can be configured trough the SCCM console or (recommended) PowerShell.
unfortunattely the current version of the commandlet Get-CMObjectSecurityScope doesn’t support any folder as InputObject. so, if you want to know, which Security Scope is allowed to see a folder, you have to use this:
$PathName = 'LAB:\DeviceCollection\FolderName\SubFolder'
$SiteCode = 'LAB'
$SiteServer = 'server.domain.net'
Import-Module "$($ENV:SMS_ADMIN_UI_PATH)\..\ConfigurationManager.psd1" -Scope Global -ErrorAction SilentlyContinue -WarningAction SilentlyContinue
New-PSDrive -Name $SiteCode -PSProvider CMSite -Root $SiteServer -Scope Global | Out-Null
Set-Location -Path "$( $SiteCode ):\"
$Folder = Get-Item $PathName
Get-WmiObject -ComputerName $SiteServer -Namespace "root\sms\site_$( $SiteCode )" -Query "SELECT * FROM SMS_SecuredCategoryMembership WHERE ObjectKey = '$( $Folder.ContainerNodeID )'" | ForEach-Object { Get-CMSecurityScope -Id $_.CategoryID }
to add or remove any SecurityScopes to a Folder, you can use this build-in commandlets:
Add-CMObjectSecurityScope -InputObject $Folder -Name $SecurityScopeName
Remove-CMObjectSecurityScope -InputObject $Folder -Name $SecurityScopeName