At now If Administrator wants to add possibility to edit only one field then user/role has to be removed from entities.update roles/users path and this user/role has to be added to particular property under updateProperties path.

If Administrator wants to prohibit edit only one properties from set of 10 or more properties then configuration is a little complex.

The deny action can help and then Administrator can add deny action only to property that user should not be able to edit - e.g $identifier