There's a lot to learn with doing SAS metadata permissions and so I'll point you at @PaulHomes 's really excellent and useful link: https://platformadmin.com/blogs/paul/2017/06/sas-gel-security-rules-with-metacoda-security-tests/

For starters you apply ACTs to User Groups, not to files.

Also it's worth pointing out that these permissions apply only to metadata libraries referenced in your SAS programs. If someone runs a LIBNAME statement in a program, then that bypasses metadata permissions. The same applies at the OS level where deleting or renaming a SAS dataset file is still possible. It all depends on what level of security you want. Locking down SAS libraries completely is possible but it is complex to setup and there are maintenance overheads as well. If you are just wanting to make accidental overwriting less possible in SAS then metadata protection could be enough.

I suspect the issue you are encountering is that you are using the SAS BASE engine to access data which ignores the R,W,C,D metadata permissions. Also whether the ReadMetadata permission is considered depends on how the SAS library is being assigned.

To enforce metadata "data" permissions you need to add a layer on top such as the SAS Metadata Libname Engine (see Metadata LIBNAME Engine https://documentation.sas.com/doc/en/pgmsascdc/9.4_3.5/lrmeta/part-3.htm) or SAS Metadata Bound Libraries (see SAS 9.4 Guide to Metadata-Bound Libraries https://support.sas.com/documentation/cdl/en/seclibag/66930/HTML/default/viewer.htm#seclibagwhatsnew...).

Controlling access to data through SAS metadata can be complicated and I think this is in part because with SAS 9 they had to walk a fine line between providing access via metadata but also maintaining backward compatibility for decades of legacy code that was written before the SAS Metadata Server existed. A SAS administrator can try to control access through the metadata authorization layer but needs to be aware that those access controls only work in some scenarios and that savvy coders can try to bypass them using traditional techniques with SAS libname statements. There are a variety of ways to try and prevent this but, as @SASKiwi mentions, it comes with complexity and maintenance overheads. Deciding on which technique to use also depends on to what extent are you trying to secure access to data: are you doing it for convenience or user experience where you want to limit access by default but are not concerned if some knowledgeable people can bypass it?; or are you doing it for security where you don't want anyone to be able to bypass it? For the former I would suggest the Metadata Libname Engine and for the latter I would recommend SAS Metadata Bound Libraries.

Of course another technique is to use a SAS/ACCESS engine and house the data in a 3rd party database which has it own authorization layer.