Position on authorization to see existence of a resource, vs attributes of a resource

[cmars]

In some cases we may want to surface the existence of a resource where the user may not be authorized to access its contents. This might be because the user lacks view permissions on a top-level resource like an org or a group, but has fine-grained permissions to see something within its scope.

In this case we might restrict our responses to only surface the id and type but attributes are omitted.

There may even be more exotic cases where you have authorization to see some attributes but not others.

So there are some various levels of authz read permissions emerging here:

1. You don't have permission to even know this exists: 404
   1b. You have permission to know you're not allowed to access it: 403
2. You have permission to know existence, but only an opaque id that can be used to relate to things you do have access to. You get data: {id: xxx, type: yyy} and that's all (no attributes).
3. You have partial permission on a resource, so some attributes are left out
4. You have full read permission to a resource

OpenAPI OOTB only can express required vs optional properties. Right now, we can accommodate levels 1, 2 and 4.

We might need extensions to express 3, if it is a good idea.