Create an orphan token with limited access

Hi Guys,
I’m trying to create an Orphan token which limits access to only to a single namespace. So that I can maintain separate tokens for separate clients. Have tried with creating a separate policy which grants the access to different levels… but keep on getting permission denied error. Can anyone pls shed a light on this in terms of the policies that needs to be created.