Token policies and identity policies

I recently try to get more used with tokens generator and policies.
I tried to make token for a user that are more restrive than the right he might have, for automation for exemple.
From what i can get as result it seems that if the identity from whom you are going to make a token have more rights than these who are defined by the token policy then you can get more accès by the token thanks to the identity policies, except if you are going to create orphan token.
Does it seems right for you ?
For my part i want to create a token with less rights than those of my current user but whithin my capabilities and as a child token, to take it in my current token death.
Every time i tried my child token seems to get the same capabilities that it’s parents via my identity policy. Am i doing it the wrong way or is it not the right way to doing it ?