Engine policies

I have a vault enterprise running on my local network, with few teams using it.
Each team is getting its policies by applying the policy on the group (using group alias names using active directory - ldap auth).

I would like that in the root path I will store “public” engines that anyone can use - such as PKI/SSH/Transit and nobody except for me can create/delete or edit anything in root, only using the engines with its roles/secrets.
I’d like that by default root will be empty for new users, except for when I give their group a policy that will allow this group to use those engines.
In addition to that I want each group to have its own namespace where they have basically admin privileges, so when they log into root, they can see all the “public engines” stored in root, and only namespaces assigned to their groups.

Currently, I use the default “default policy” and I create a new namespace for each team with a policy granting admin privileges to that namespace.
For example: Team a gets a namespace called TeamA and a policy to that group looking like this:

path "TeamA/*" {
        capabilities = ["create", "read", "update", "delete", "list"]

This works fine.

I also created policies for each “public” engine so I can give each group the “public” engines I want them to have.
For example, I have an engine called “PKI” located in root.
Now, I want to create a policy that when assigned to a group grants that group the option to see and use the engines in root.
I tried this similar to:

path "pki/" {
    capabilities = ["read"]

This does not work for me :frowning:

Can you guys give me a lead to what fields I need to have in my policies to achieve these architecture of my vault?