How to only allow user publishing to specific folders?
When creating the folder, choose to create a separate feed for that folder as described in the Package guide. The packages published to the tenant will not be available at the folder and vide versa.
Isolating users to a folder is achieved by only providing them permissions to their assigned folder. This can be done as normal from Folder Management. When these users want to publish a process, they will have the option to publish to either the Tenant or the folder feeds for any Folders they are a member of:
At this point, to limit the user's ability to publish to the tenant feed but not to the folder feed, please perform the steps outlined in our knowledge article: How to Disable Publishing To Orchestrator at the Tenant level , but allow these permissions on Folder Packages at the Folder level. The users will still see an option to publish to the Tenant feed but they will be alerted that they do not have permissions if they try to publish to it (as noted in the linked KB). Publishing to the folder feed will succeed.
Example permissions for this role: