I've tried "deny view any database to my_user" and that pretty much does the job of hiding DBs, except you still get to view some objects in master and tempdb. (selecting db_denydatareader/writer roles in these dbs, results in a complete failure to even log in).
the problem is that denying viewing any database also therefore includes MSDB, so that user's SQLAGent msdb role membership is ignored and the Agent disappears too.
any ideas how i get round this so that a given login can login, see NO database at all, but still have the SQLAgent in their object explorer as per their MSDB role membership?
thanks