Fine grained access control

[auniverseaway]

As an admin and author I would like the ability to prevent specific groups of users from performing actions so that I can sleep at night.

[auniverseaway]

I think this is starting to take shape. Some comments based on @bosschaert's docs: https://github.com/adobe/da-live/wiki/Using-ACLs

1. Can we set an org only group? Instead of {{human-readable-org-name}}/{{human-readable-group-name}} we just have {{human-readable-org-name}}. This is something David N had talked about... if you're a part of the org, we should default to giving everyone in the org read-only.
3. Looks like we support multiple orgs, which I think is right.
4. We say "actions" in the heading, but we only allow one action. I think it's fine to leave, but someone may think they can add multiple actions here.
5. How much lift is it to support the deny pattern? Does this go against our, "no denies" commentary? I know a lot of folks talk a big game about keeping content hidden, but is this a real use case?

I think the overwhelming majority of sites are going to look like this:

/site/ + *              | {{org-name}}                 | read
/site/ + *              | {{org-name}}/{{group-name}}  | write
/site/drafts/*          | {{org-name}}                 | write