Include Islandora 7.x XACML restriction functionality

[bryjbrown]

Islandora 7.x provides the following types of "Object Policy" restrictions for objects, all of which can be restricted to only certain users and/or roles:

• Object Management: Restricts access to all activities covered under the "Manage" tab of an object, including datastream creation/updating/deletion, XACML policy applications, object deletion and state management, etc.
• Object Viewing: Restricts access to who can view an object, including search results and views.
• Datastreams and MIME Types: Restricts access to datastreams on an object by DSID or MIME type. Restricted users cannot view these datastreams, much less edit or delete them.

Additionally, collections have the ability to propagate these policies to their children in a variety of ways:

• New children of this object
• All children of this collection and collections within in this collection (existing and new)
• All immediate children of this collection

If we could tie this functionality into the module then we could also make XACML migration part of the Islandora 7.x migration framework and take care of Islandora/documentation#1159.

In order to extend Embargoes to become a superset of XACML policies, it would need to:

• Allow individual users to bypass an embargo (done)
• Allow individual roles to bypass an embargo
• Enable restrictions on editing embargoed nodes
• Enable restrictions on access to individual associated files
• Enable embargoes to apply recursively to collections