Permissions, Entitlements, and Feature Flags for Resources

[ianlivingstone]

We need to introduce rules & documentation for how permissions, entitlements, and feature flags are surfaced/work with respect to our data model.

[cmars]

⚾ 👍

[ianlivingstone]

Here are some thoughts, we will need to think about this further:

• Read on a resource has to be top-level at the operation - otherwise, we end up with situations where fields are nullable based on permissions which gives an undesirable experience in a typed language.
• It may be required for us to support write on an object or property level to deal with situations where a customer can set a property but not another property (e.g. settings). To set a child property you must be able to write to other parts. It's not clear if this is required but there is a trade-off between the simplicity of the permission model and the structure of the data model.
• Delete can only exist on an entire resource

We will also want to differentiate between "configuring" something and whether you have an entitlement to use that "thing". For example, can I configure product settings for a product I haven't purchased? How does that surface in the API?

This is deeply tied to the core of our data model.

cc @gablaxian