How to prevent a user from creating a Kubernetes secret in the Rancher side

Long story short. I have a Rancher cluster. There is a foo project in the cluster and a bar namespace in the foo project rancher cluster -> foo project -> bar namespace. I assigned a user to the foo project with project-member role.

And my question is, how can I prevent the user from creating a Kubernetes secret object? I want to leave project-member role except a create secret permission and I want to achieve this in Rancher side.

What have I found out so far?

1. I asked the ChatGTP about it and it gave my the following solution: "Create a RBAC objects: role and rolebinding with get, list and watch verbs for secrets resource. I don't want to create RBAC in my case.
2. The Rancher's project-member role doesn't contain secret resource so I don't even know how a user with project-member role is able to create a secret. Could anyone explain it to me?

Update #1

By default, the Rancher role of project-member inherits from the Kubernetes-edit role, and the project-owner role inherits from the Kubernetes-admin role. As such, both project-member and project-owner roles will allow for namespace management, including the ability to create and delete namespaces. source

There is an edit ClusterRole object which contains permission for creating a secret.

Update #2

I can create a custom project role which will be inheriting from a Read-only role and then I can add the required permissions and roles. I think it might be the best option in my case. I won't mark the question as answered yet.

Thanks for advance!

This is what I've done to achieve my goal:

1. I created a project/namespaces role named restricted-project-member
2. The restricted-project-member role inherits from Read-only role.
3. I got the permissions from the Kubernetes ClusterRole called edit.
4. I pasted directly the permissions to the restricted-project-member except the permission which allows to create secret.