Hi, looking at Rancher's default roles, is it correct that a Cluster Member can create a Project? Thats what the GUI shows me. I find that hard to believe.

apiVersion: <http://management.cattle.io/v3|management.cattle.io/v3>
builtin: true
context: cluster
description: ''
displayName: Cluster Member
external: false
hidden: false
kind: RoleTemplate
metadata:
  annotations:
    <http://cleanup.cattle.io/rtUpgradeCluster|cleanup.cattle.io/rtUpgradeCluster>: 'true'
    <http://lifecycle.cattle.io/create.mgmt-auth-roletemplate-lifecycle|lifecycle.cattle.io/create.mgmt-auth-roletemplate-lifecycle>: 'true'
  creationTimestamp: '2023-01-31T11:41:34Z'
  finalizers:
    - <http://controller.cattle.io/mgmt-auth-roletemplate-lifecycle|controller.cattle.io/mgmt-auth-roletemplate-lifecycle>
  generation: 1
  labels:
    <http://authz.management.cattle.io/bootstrapping|authz.management.cattle.io/bootstrapping>: default-roletemplate
    <http://cattle.io/creator|cattle.io/creator>: norman
  managedFields:
    - apiVersion: <http://management.cattle.io/v3|management.cattle.io/v3>
      fieldsType: FieldsV1
      fieldsV1:
        f:builtin: {}
        f:context: {}
        f:description: {}
        f:displayName: {}
        f:external: {}
        f:hidden: {}
        f:metadata:
          f:annotations:
            .: {}
            f:<http://cleanup.cattle.io/rtUpgradeCluster|cleanup.cattle.io/rtUpgradeCluster>: {}
            f:<http://lifecycle.cattle.io/create.mgmt-auth-roletemplate-lifecycle|lifecycle.cattle.io/create.mgmt-auth-roletemplate-lifecycle>: {}
          f:finalizers:
            .: {}
            v:"<http://controller.cattle.io/mgmt-auth-roletemplate-lifecycle|controller.cattle.io/mgmt-auth-roletemplate-lifecycle>": {}
          f:labels:
            .: {}
            f:<http://authz.management.cattle.io/bootstrapping|authz.management.cattle.io/bootstrapping>: {}
            f:<http://cattle.io/creator|cattle.io/creator>: {}
        f:rules: {}
      manager: rancher
      operation: Update
      time: '2023-01-31T11:41:50Z'
  name: cluster-member
  resourceVersion: '8254'
  uid: 8d5303bf-a83d-4d27-b379-0e97d7d6417f
rules:
  - apiGroups:
      - <http://ui.cattle.io|ui.cattle.io>
    resources:
      - navlinks
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - <http://management.cattle.io|management.cattle.io>
    resources:
      - clusterroletemplatebindings
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - <http://management.cattle.io|management.cattle.io>
    resources:
      - projects
    verbs:
      - create
  - apiGroups:
      - <http://management.cattle.io|management.cattle.io>
    resources:
: