custom roles denied actions still working through url

I am using arckinteractive's role plugin (https://github.com/arckinteractive/Roles/tree/master), I wanna restrict a role CUSTOMER from add and edit groups and below is my code: 

// mytheme/start.php

.....
function my_theme_roles_config($hook_name, $entity_type, $return_value, $params)
{
    $roles = [
        CUSTOMER => [
            'title' => 'Core Customer',
            'extends' => [],
            'permissions' => [
                'actions' => [
                    'groups/save' => [
                        'rule' => 'deny',
                        'forward' => 'groups/all'
                    ],
                    'groups/add' => [
                        'rule' => 'deny',
                        'forward' => 'groups/all'
                    ]
                ],
                'menus' => [
                    'site::members' => ['rule' => 'deny']
                ],
                'pages' => [
                    'groups/add/{$self_guid}' => array(
                            'rule' => 'deny',
                            'forward' => 'groups/all',
                        )
                ]
            ],
        ],
    ];

    if (!is_array($return_value)) {
        return $roles;
    } else {
        return array_merge($return_value, $roles);
    }
}

The create group button is successfully not showing and the member menu also not showing, so this function should be working without doubt. However, as a customer role user, I can still access the add group form and create a group by go to the url: http://mysite.com/groups/add. Can anyone point to me why the actions deny rule is not working here? Thanks