Custom role and heritage

i need you help, because, i do not understand the behaviour of my newly created project custom role.

i want a custom role : “project owner” but with restriction on “networkpolicies”.
I go to the global->security->role->project ,
Clone the “Project owner role” , rename as “my project owner role”
add the ressource : “networkpolicies” , API Groups : “”, granting : get, list, watch.

And save. Then i assign my user X in project Y to the role “my project owner role”
Log-in as X in rancher, launch kubectl console and do :

>> kubectl auth can-i delete networkpolicies

what ??? why ??? i restricted it !!!
where is my mistake ?

Best regards.

Permissions are only additive; what you can do is the sum of all the permissions all the roles granted give you. So for example if you didn’t remove the rolebinding to the regular project owner role then you still have everything it grants.

oh, ok, i remove the inherit from role, and leave it empty.
but still got trouble,

kubectl auth can-i delete networkpolicies


kubectl auth can-i list networkpolicies

not cool!!! as i grant the list ressource to networkpolicies
i also loose the permissions on some other ressources like ingress , secrets, pods, …

i do another test, i inherit my role from from readonly, the grants on network polices are ok,
but missing grants on pods,secrets, ingress …

is there a way to see all native project owner ressource, including the one it inherits from ?
and duplicate it to a standalone role without inherits ? and just remove the unwanted ressources ?

i just need a project owner without network policyressource granted.