Following scenario used to work fine in Oxygen-SR1 according to https://docs.opendaylight.org/en/stable-oxygen/user-guide/authentication-and-authorization-services.html#mdsal-based-dynamic-authorization :

1, create 2 users (user-ro, user-full)

2, create 2 roles (role-ro, role-full)

3, assign roles accordingly to users (role-ro => user-ro, role-full => user-full)

4, configure policy:

{{{}}
  "aaa:policies": {
    "aaa:policies": [
      {
        "aaa:resource": "/restconf/config/network-topology**",
        "aaa:permissions": [
          {
            "aaa:role": "role-full",
            "aaa:actions": [
              "get",
              "post",
              "put",
              "patch",
              "delete"
            ]
          },
          {
            "aaa:role": "role-ro",
            "aaa:actions": [
              "get"
            ]
{{          }}}
        ]
{{      }}}
    ]
{{  }}}
}

5, This used to return 401 in Oxygen-SR1, now it returns 200

curl -u user-ro:123456 -v -X DELETE http://localhost:8181/restconf/config/network-topology:network-topology/topology/topology1
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8181 (#0)
* Server auth using Basic with user 'user-ro'
> DELETE /restconf/config/network-topology:network-topology/topology/topology1 HTTP/1.1
> Host: localhost:8181
> Authorization: Basic dXNlci1ybzoxMjM0NTY=
> User-Agent: curl/7.59.0
> Accept: /
{{> }}
< HTTP/1.1 200 OK
< Set-Cookie: JSESSIONID=bqj10ho2znkj1u3qh9fgph6m8;Path=/restconf
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Set-Cookie: rememberMe=deleteMe; Path=/restconf; Max-Age=0; Expires=Thu, 06-Sep-2018 05:30:51 GMT
< Content-Length: 0
{{< }}
* Connection #0 to host localhost left intact