Using the Netconf version 5.0.0 and which includes aaa version 0.17.2.

While user is assigned with a policy to perform only 'GET' operation is also able to perform 'PUT' operation.

Step 1: Creation of user.

curl --user admin:admin --request POST 'http://<controller IP>:8181/auth/v1/users' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--data '{
    "name": "abc",
    "description": "User to perform only read operation",
    "enabled": 1,
    "email": "abc@xyz.com",
    "password": "abc@123",
    "domainid": "sdn"
}'

Step 2: Assigning role to the user

curl --user admin:admin --request POST 'http://<controller_IP>:8181/auth/v1/domains/sdn/users/abc@sdn/roles' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--data '{
    "roleid": "read_only@sdn",
    "domainid": "sdn"
}'

Step 3: Assigning policy to the role

{
    "aaa:policies": [
        {
            "aaa:resource": "/rests/data/network-topology:network-topology/topology=topology-netconf/node=node_id/**",
            "aaa:permissions": [
               

{                     "aaa:role": "read_only",                     "aaa:actions": [                         "get"                     ]                 }

            ]
        }
    ]
}

Summary: User is assigned with authorization to perform 'GET' operation only but it is allowing to perform 'PUT' operation as well.