Cannot "hide" pki configuration

Hi all!

I created a pki secret engine and wanted to let users to sign certificates and so on but not touch the configuration part via the ui.
I’ve been looking around and trying different ways via the policy to do so but none of it seems to work.
I tried out of curiosity to “deny” access to all of its content;

path “pki/*” {
capabilities = [“deny”]

and as expected, you can’t access any of it, yet, you can still get into the configuration window and edit it (replace ca, etc).
I’m not sure if that’s intentional or I’m doing something wrong?