Change this
to this
path “webserver/data/database/base” {
capabilities = [“deny”]
}
That should get you what you’re after.
Edit:
As @stuart-c mentioned you need to build ACLs around the API paths. KVv2 can be a bit confusing at first as there are some obfuscated paths when using the GUI and CLI. Checkout the API docs for full details for relevant pathing in your ACLs: KV - Secrets Engines - HTTP API | Vault | HashiCorp Developer