Get-PSSessionCapability returns capabilities even when the speficied user doesn't have permissions to connect to the session
The documentation on Get-PSSessionCapability states it returns information (capabilities) on the session configuration the specified username has on it, but it also returns it for a SessionConfiguration (created with a pssc file) when it wasn't created with a RoleDefinition, no matter if the specified user can or cannot access it.
I would expect it not to return any information for that SessionConfiguration, or have a property that indicates the specified doesn't have the required permissions (invoke / fullcontrol).
Ryan Puffer commented
Thanks for sharing this feedback. To provide some background context: Get-PSSessionCapability is designed to show you which cmdlets someone would have access to IF they were able to connect to the endpoint. It does not actually check if the user has access to the endpoint. Users who don't have access to the endpoint will see the basic 8 commands included in any JEA session. The RoleDefinition field itself is actually optional -- while we recommend you use PSRC files to define your roles, you could also just declare the visible cmdlets and functions in the PSSC file (meaning everyone belongs to the same role).
We'd like to survey the forum to see how others feel about having Get-PSSessionCapability return an error or empty set if the specified user does not have access to the endpoint. Let us know in the comments and with the Vote button if you also desire this or another behavior of Get-PSSessionCapability.