Is it possible to have separate teams in single org that can't touch upon each other's work, through the use of custom roles and permissions?

Although I read otherwise, it seems somewhat possible to use regex expressions to give permisions on specific resources, at least on proxies. But that doesn't to the trick. I don't success in locking down objects to specific subgroup.

Test executed

Create custom role "RoleA"

Add UserA to RoleA

Create custom permissions to manage the "A*" proxies:

POST https://api.enterprise.apigee.com/v1/organizations/<org>/userroles/RoleA/resourcepermissions

{ "resourcePermission" : [

{ "path" : "/applications", "permissions" : [ "get","put" ] },

{ "path" : "/applications/A*", "permissions" : [ "get", "put", "delete" ] },

{ "path" : "/apis", "permissions" : [ "get","put" ] },

{ "path" : "/apis/A*", "permissions" : [ "get", "put", "delete" ] } ] }

Note: docs talks about /applications but nowhere about /apis

As UserA, create proxy "Aproxy" and proxy "Bproxy".

POST https://api.enterprise.apigee.com/v1/organizations/<org>/apis { "name": "Bproxy" }

User A is able to delete proxy "Aproxy", but is not able to delete "Bproxy". Which is good, as hoped.

DELETE https://api.enterprise.apigee.com/v1/organizations/<org>/apis/Bproxy -> 403 Forbidden

But UserA is able to modify proxy "Bproxy", and that is not good.