diff --git a/pkg/permission/permission.go b/pkg/permission/permission.go
index 7a90e5079da08648cbdefe565d39f4d8b801a275..e08579e9c074470a80b8e2ecce3c1e62634b02f1 100644
--- a/pkg/permission/permission.go
+++ b/pkg/permission/permission.go
@@ -53,12 +53,6 @@ func (p Permission) RemoveFields(in map[string]interface{}) map[string]interface
 	if in == nil {
 		return nil
 	}
-	out := make(map[string]interface{})
-	for k, v := range in {
-		if data.Contains(k, p.UnallowedFields) {
-			continue
-		}
-		out[k] = v
-	}
-	return out
+	data.DeleteMany(p.UnallowedFields, in)
+	return in
 }
diff --git a/pkg/permission/permission_test.go b/pkg/permission/permission_test.go
new file mode 100644
index 0000000000000000000000000000000000000000..96f05ef5516a3028722d151a4de69280fc2e2dc1
--- /dev/null
+++ b/pkg/permission/permission_test.go
@@ -0,0 +1,60 @@
+package permission
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestPermission_RemoveFields(t *testing.T) {
+
+	tests := []struct {
+		name            string
+		unallowedFields []string
+		in              map[string]interface{}
+		want            map[string]interface{}
+	}{
+		{
+			name: "nil",
+			in:   nil,
+			want: nil,
+		},
+		{
+			name: "empty",
+			in:   map[string]interface{}{},
+			want: map[string]interface{}{},
+		},
+		{
+			name:            "empty unallowedFields",
+			in:              map[string]interface{}{"f": "v"},
+			want:            map[string]interface{}{"f": "v"},
+			unallowedFields: nil,
+		},
+		{
+			name:            "remove fields",
+			in:              map[string]interface{}{"f": "v", "f1": "v"},
+			want:            map[string]interface{}{"f": "v"},
+			unallowedFields: []string{"f1"},
+		},
+		{
+			name:            "no fields",
+			in:              map[string]interface{}{"f": "v", "f1": "v"},
+			want:            map[string]interface{}{"f": "v", "f1": "v"},
+			unallowedFields: []string{"f2"},
+		},
+		{
+			name:            "obj fields",
+			in:              map[string]interface{}{"obj": map[string]interface{}{"f": "v", "f1": "v"}},
+			want:            map[string]interface{}{"obj": map[string]interface{}{"f": "v"}},
+			unallowedFields: []string{"obj.f1"},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			p := Permission{
+				UnallowedFields: tt.unallowedFields,
+			}
+			assert.Equal(t, tt.want, p.RemoveFields(tt.in))
+		})
+	}
+}
diff --git a/pkg/permission/ruleset.go b/pkg/permission/ruleset.go
index b9a84f3747223cf4139c905e3d65ebb9f4dea336..a915a055759b3185825820233b623eb0d4b21762 100644
--- a/pkg/permission/ruleset.go
+++ b/pkg/permission/ruleset.go
@@ -127,12 +127,14 @@ func (r Rule) GetPermission(action Action) *Permission {
 			case ActionRead:
 				p.Filter = r.ReadFilter
 				p.UnallowedFields = append(p.UnallowedFields, r.HiddenFields...)
-				p.UnallowedFields = append(p.UnallowedFields, r.WriteonlyFields...)
+				p.UnallowedFields = append(p.UnallowedFields, data.Difference(r.WriteonlyFields, r.ReadonlyFields)...)
 			case ActionCreate, ActionUpdate, ActionDelete:
 				p.Filter = r.WriteFilter
-				p.UnallowedFields = append(p.UnallowedFields, r.ReadonlyFields...)
+				p.UnallowedFields = append(p.UnallowedFields, data.Difference(r.ReadonlyFields, r.WriteonlyFields)...)
 			}
 
+			p.UnallowedFields = data.SetFromSlice(p.UnallowedFields)
+
 			return p
 		}
 	}
diff --git a/pkg/permission/ruleset_test.go b/pkg/permission/ruleset_test.go
index 47c1f07614b1d2edef196db6238adaf40b33e073..a05753844b25dcc3e0484b27384e89a39c7e26f5 100644
--- a/pkg/permission/ruleset_test.go
+++ b/pkg/permission/ruleset_test.go
@@ -49,3 +49,44 @@ func TestMerge(t *testing.T) {
 		})
 	}
 }
+
+func TestRule_GetPermission(t *testing.T) {
+	tests := []struct {
+		name            string
+		action          Action
+		rule            Rule
+		unallowedFields []string
+		want            *Permission
+	}{
+		{
+			name:            "ActionRead",
+			action:          ActionRead,
+			rule:            Rule{Actions: []Action{ActionRead, ActionUpdate}, ReadonlyFields: []string{"f1"}, HiddenFields: []string{"f2"}, WriteonlyFields: []string{"f3"}},
+			unallowedFields: []string{"f2", "f3"},
+		},
+		{
+			name:            "ActionRead readonly&writeonly",
+			action:          ActionRead,
+			rule:            Rule{Actions: []Action{ActionRead, ActionUpdate}, ReadonlyFields: []string{"f1"}, HiddenFields: []string{"f2"}, WriteonlyFields: []string{"f1"}},
+			unallowedFields: []string{"f2"},
+		},
+		{
+			name:            "ActionUpdate",
+			action:          ActionUpdate,
+			rule:            Rule{Actions: []Action{ActionRead, ActionUpdate}, ReadonlyFields: []string{"f1"}, HiddenFields: []string{"f2"}, WriteonlyFields: []string{"f3"}},
+			unallowedFields: []string{"f1"},
+		},
+		{
+			name:            "ActionUpdate readonly&writeonly",
+			action:          ActionUpdate,
+			rule:            Rule{Actions: []Action{ActionRead, ActionUpdate}, ReadonlyFields: []string{"f1"}, HiddenFields: []string{"f2"}, WriteonlyFields: []string{"f1"}},
+			unallowedFields: []string{},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			p := tt.rule.GetPermission(tt.action)
+			assert.ElementsMatch(t, tt.unallowedFields, p.UnallowedFields)
+		})
+	}
+}