policy:
  '*':
    '*':
      '*': allow
      create: deny
      delete: deny
      perform:
        purge: deny
        clone: deny
        '*': allow