You don't need to set the rbac policy in the catalog, however it's a good idea if multiple roles will need to access the objects in it. the permissions on the objects in the catalog work like any other new object - for the role creating them (the role running the cuj), look at the 'default object permission template' in the role's settings. the permissions defined in that acl template will be applied to the newly created objects. otherwise it will be Role objecttype.*. of course people could have manually updated the permissions are various points as well.
if you set the rbac policy now, it should apply the rbac policy to all objects during the next CUJ. that will append to the existing permissions.
removing permissions will require you to take a manual action of either removing each one you don't want on each object (eg, w/ a script) or using the 'replace' option and applying new permissions once to all the objects in the catalog.