diff --git a/pkg/permission/permission.go b/pkg/permission/permission.go
index 7a90e5079da08648cbdefe565d39f4d8b801a275..e08579e9c074470a80b8e2ecce3c1e62634b02f1 100644
--- a/pkg/permission/permission.go
+++ b/pkg/permission/permission.go
@@ -53,12 +53,6 @@ func (p Permission) RemoveFields(in map[string]interface{}) map[string]interface
 	if in == nil {
 		return nil
 	}
-	out := make(map[string]interface{})
-	for k, v := range in {
-		if data.Contains(k, p.UnallowedFields) {
-			continue
-		}
-		out[k] = v
-	}
-	return out
+	data.DeleteMany(p.UnallowedFields, in)
+	return in
 }
diff --git a/pkg/permission/permission_test.go b/pkg/permission/permission_test.go
new file mode 100644
index 0000000000000000000000000000000000000000..2a365601e201a6fd31a34b89bcc47d3de14b4406
--- /dev/null
+++ b/pkg/permission/permission_test.go
@@ -0,0 +1,60 @@
+package permission
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestPermission_RemoveFields(t *testing.T) {
+
+	tests := []struct {
+		name            string
+		unallowedFields []string
+		in              map[string]interface{}
+		want            map[string]interface{}
+	}{
+		{
+			name: "nil",
+			in:   nil,
+			want: nil,
+		},
+		{
+			name: "empty",
+			in:   map[string]interface{}{},
+			want: map[string]interface{}{},
+		},
+		{
+			name:            "empty unallowedFields",
+			in:              map[string]interface{}{"f": "v"},
+			want:            map[string]interface{}{"f": "v"},
+			unallowedFields: nil,
+		},
+		{
+			name:            "remove fields",
+			in:              map[string]interface{}{"f": "v", "f1": "v"},
+			want:            map[string]interface{}{"f": "v"},
+			unallowedFields: []string{"f1"},
+		},
+		{
+			name:            "all present fields allowed",
+			in:              map[string]interface{}{"f": "v", "f1": "v"},
+			want:            map[string]interface{}{"f": "v", "f1": "v"},
+			unallowedFields: []string{"f2"},
+		},
+		{
+			name:            "unallowed fields in nested object",
+			in:              map[string]interface{}{"obj": map[string]interface{}{"f": "v", "f1": "v"}},
+			want:            map[string]interface{}{"obj": map[string]interface{}{"f": "v"}},
+			unallowedFields: []string{"obj.f1"},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			p := Permission{
+				UnallowedFields: tt.unallowedFields,
+			}
+			assert.Equal(t, tt.want, p.RemoveFields(tt.in))
+		})
+	}
+}
diff --git a/pkg/permission/ruleset.go b/pkg/permission/ruleset.go
index b9a84f3747223cf4139c905e3d65ebb9f4dea336..0843afc79922be9a20c06009d4084a281b3cd68f 100644
--- a/pkg/permission/ruleset.go
+++ b/pkg/permission/ruleset.go
@@ -133,6 +133,8 @@ func (r Rule) GetPermission(action Action) *Permission {
 				p.UnallowedFields = append(p.UnallowedFields, r.ReadonlyFields...)
 			}
 
+			p.UnallowedFields = data.SetFromSlice(p.UnallowedFields)
+
 			return p
 		}
 	}
diff --git a/pkg/permission/ruleset_test.go b/pkg/permission/ruleset_test.go
index 47c1f07614b1d2edef196db6238adaf40b33e073..175c36261152afcf2b2c585382588f97b5465591 100644
--- a/pkg/permission/ruleset_test.go
+++ b/pkg/permission/ruleset_test.go
@@ -49,3 +49,44 @@ func TestMerge(t *testing.T) {
 		})
 	}
 }
+
+func TestRule_GetPermission(t *testing.T) {
+	tests := []struct {
+		name            string
+		action          Action
+		rule            Rule
+		unallowedFields []string
+		want            *Permission
+	}{
+		{
+			name:            "ActionRead",
+			action:          ActionRead,
+			rule:            Rule{Actions: []Action{ActionRead, ActionUpdate}, ReadonlyFields: []string{"f1"}, HiddenFields: []string{"f2"}, WriteonlyFields: []string{"f3"}},
+			unallowedFields: []string{"f2", "f3"},
+		},
+		{
+			name:            "ActionRead readonly&writeonly",
+			action:          ActionRead,
+			rule:            Rule{Actions: []Action{ActionRead, ActionUpdate}, ReadonlyFields: []string{"f1"}, HiddenFields: []string{"f2"}, WriteonlyFields: []string{"f1"}},
+			unallowedFields: []string{"f1", "f2"},
+		},
+		{
+			name:            "ActionUpdate",
+			action:          ActionUpdate,
+			rule:            Rule{Actions: []Action{ActionRead, ActionUpdate}, ReadonlyFields: []string{"f1"}, HiddenFields: []string{"f2"}, WriteonlyFields: []string{"f3"}},
+			unallowedFields: []string{"f1"},
+		},
+		{
+			name:            "ActionUpdate readonly&writeonly",
+			action:          ActionUpdate,
+			rule:            Rule{Actions: []Action{ActionRead, ActionUpdate}, ReadonlyFields: []string{"f1"}, HiddenFields: []string{"f2"}, WriteonlyFields: []string{"f1"}},
+			unallowedFields: []string{"f1"},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			p := tt.rule.GetPermission(tt.action)
+			assert.ElementsMatch(t, tt.unallowedFields, p.UnallowedFields)
+		})
+	}
+}