Policy that only allows to list a subset of roles

Question

I am using Vault's SSH PKI secrets engine and have multiple roles defined

pki/
   role1
   role2
   role3
   ...

I want to give access to the roles via web GUI. So for my understanding I have to specify a list policy:

   path "/ssh/*" {
       capabilities = ["list"]
   }

A user assigned with this policy can view all configured roles behind /ssh/. Is there a way such that a policy only allows to view a subset, lets say role1?

I checked the documentation about policies and could not really find anything. I also tried

   path "/ssh/role1" {
       capabilities = ["list"]
   }

which did not work.

Answer 1

The permission should be:

 path "/<pki-engine-path>/roles" {
       capabilities = ["list"]
   }

Default:

 path "/pki/roles" {
       capabilities = ["list"]
   }