Replace folder permissions with icacls

I want to replace a folder's permissions. First I did this:

icacls folder /grant user:(oi)(ci)f

Then I want to change the permissions and the inheritance to:

icacls folder /grant:r user:(oi)(io)rx

After this the permissions for user still are (oi)(ci)f.

Why aren't the permissions replaced?

Replacing permissions and inheritance with setacl works as expected:

setacl -on folder -ot file -actn ace -ace
"n:user;p:read_ex;i:io,so;m:set;w:dacl"

thanks for your answer. But, this is by design? Or this is a bug? What's the use of the ":r" switch if the only way you can be sure to replace permissions (and inheritance) is this?

icacls folder /remove user
icacls folder /grant user:(oi)(io)rx

I've been testing how "icacls /grant" works and I found that icacls writes an entry for every type of inheritance.

Try this:

md test
icacls test /inheritance:r
icacls test /grant user:f
icacls test /grant:r user:(oi)rx
icacls test /grant:r user:(ci)rx
icacls test /grant:r user:(oi)(ci)rx
icacls test /grant:r user:(ci)(oi)(io)rx
icacls test /grant:r user:(io)(oi)rx
icacls test /grant:r user:(io)(ci)rx

Then to see the ACL:

icacls test

The result is:

test PC\user:(F)
     PC\user:(OI)(IO)(RX)
     PC\user:(OI)(RX)
     PC\user:(CI)(IO)(RX)
     PC\user:(CI)(RX)
     PC\user:(OI)(CI)(IO)(RX)
     PC\user:(OI)(CI)(RX)

So I've found that icacls /grant:r replaces permissions only for the same type of inheritance. In my original question:

md test
icacls test /inheritance:r
icacls test /grant user:(oi)(ci)f
icacls test /grant:r user:(oi)(io)rx

icacls test gives the output

test PC\user:(OI)(IO)(RX)
     PC\user:(OI)(CI)(F)

And I think the GUI shows only (OI)(CI)(F) cause it includes (OI)(IO)(RX)

Am I missing something? Is this a bug or by design?