Weird behaviour with + in policy

Hi,

I have a weird behaviour with + in policy. I want to create a deny policy with the + character and an accept policy
name mongo-deny
rules path “secret/data/config/test/mongo/+/admin” {
capabilities = [“deny”]
}
path “secret/data/config/test/mongo/+/backup” {
capabilities = [“deny”]
}
name mongo-accept
rules path “secret/data/config/test/mongo/foo/*” {
capabilities = [“read”]
}

A token with these policies is authorized to read the admin and backup secret.

If i remove the + character and change it with a fixed path in the deny policy, the token is now unauthorized to read the admin and backup secret.

I think I’m missing something in the + character utilization in policy.

Regards