Rundeck key storage ACL grant access to path

Yet another example of unclear docs.

If you want to grant a user or group access to a key path such as 'keys/teamname/projectname/.' , It’s NOT enough to simply add a “matched” block.

You have to be very specific- like this:

for:
  storage:
    - match:
        path: 'keys/team1/.*'
      allow: [read,create,update,delete]
    - equals:  
        path: keys/team1
      allow: [read]