Using the Netconf version 5.0.0 and which includes aaa version 0.17.2.

While user is assigned with a policy to perform only 'GET' operation is also able to perform 'PUT' operation.

Step 1: Creation of user.

curl --user admin:admin --request POST 'http://<controller IP>:8181/auth/v1/users' \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ --data '{
    "name": "abc",
    "description": "User to perform only read operation",
    "enabled": 1,
    "email": "abc@xyz.com",
    "password": "abc@123",
    "domainid": "sdn"
}'

Step 2: Assigning role to the user

curl --user admin:admin --request POST 'http://<controller_IP>:8181/auth/v1/domains/sdn/users/abc@sdn/roles' \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ --data '{
    "roleid": "read_only@sdn",
    "domainid": "sdn"
}'

Step 3: Assigning policy to the role

{
    "aaa:policies": [
        {
            "aaa:resource": "/rests/data/network-topology:network-topology/topology=topology-netconf/node=node_id/**",
            "aaa:permissions": [
                {
                    "aaa:role": "read_only",
                    "aaa:actions": [
                        "get"
                    ]
                }
            ]
        }
    ]
}

Summary: User is assigned with authorization to perform 'GET' operation only but it is allowing to perform 'PUT' operation as well.