Issues with managing policy updates for userpass users

Hi Folks,

I am running into an issue when trying to manage policy updates for userpass users. The scenario is described, in details, in links below, but the high level intent is as follows:

  1. Admin needs to be able to update policies attached to users
  2. Admin can only grant specific policies

In order to satisfy item 2, the admin has following policy:

Now the issue that I am running into is that the admin seems to be able to assign a policy not allowed by prefixing it with an allowed policy. Is this because of '*" pattern match in admin policy in link above?

Pl. see sample steps to repro the issue in link below:

I would like to get some recommendations on best practices on managing policy updates on users and/or how to fix this issue.
Using vault 1.3.3