Set "can_add_repo': False," but still able to add new library from portal

Hi all,
I create a new role which only can not add new repo. I am enble cloud mode and muti-tenancy mode.
here is my role setting,
however when the account login still can add new library.

Blockquote
‘normaluser’: {
‘can_add_group’: False,
‘can_add_public_repo’: False,
‘can_add_repo’: False, <— set false
‘can_connect_with_android_clients’: True,
‘can_connect_with_desktop_clients’: True,
‘can_connect_with_ios_clients’: True,
‘can_drag_drop_folder_to_sync’: True,
‘can_export_files_via_mobile_client’: True,
‘can_generate_share_link’: True,
‘can_generate_upload_link’: True,
‘can_invite_guest’: False,
‘can_publish_repo’: False,
‘can_send_share_link_mail’: False,
‘can_use_global_address_book’: False,
‘can_use_wiki’: False,
‘can_view_org’: False,
‘role_quota’: ‘’,
‘storage_ids’: [ ‘cold_storage’,‘new_storage’],

see under shared with all option, still can add library… how to disable shared with all option?

image

I think it is under table “OrgInnerPubRepo”
but my question is how come the org user already disable the create library but can create this inner public repo.
I know

Blockquote
Note: The can_add_public_repo option will not take effect if you configure global CLOUD_MODE = True .

so here shared with all means add public repo?
anyone have the data model so i can take a look.

update to 7.0.10 still can not solve the issue…
so sad …