@Jason Johnson If a user is assigned a role that excludes an operation in NotActions, and is assigned a second role that grants access to the same operation, the user is allowed to perform that operation. NotActions is not a deny rule – it is simply a convenient way to create a set of allowed operations when specific operations need to be excluded.
E.g. If the user is assigned with Contributor and New Role (custom role that you are creating), user will be allowed to rename the subscription because Contributor role allows this action.
I would suggest you to create a new test user, assign only the "New Role" to the user and try to rename the subscription to make sure no other role is allowing this action.
-----------------------------------------------------------------------------------------------------------
Please "accept as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.