Support of DENY access

[fmigneault]

Feature

Consider the possibility to support the option to add an non-permission that would restrict the user access to a resource.
General use case:

                            deny        allowed
service                                    X
├─ resource1               
│    ├─ resource2             X   
│    │    ├─ resource2.1  
│    │    └─ resource2.2                   X 
│    └─ resource3 
└─ resource4

Allowed user/group access: service, resource1, resource3, resource4
Denied user/group access: resource2, resource2.1, resource2.2 (deny has priority)

Changes

• This feature would need to refactor UI to have Allow|Deny|None instead of simple checkboxes.
• It would also require a new field during POST request to specify whether the created permission is Allow|Deny.
• Parsing of permissions would need to continue all the way to the top service to check for denial access in case lower allowed was given (current behaviour is to exit with allowed access directly).

[dbyrns]

@tlvu and @huard this is what we should check to support the special case grant access to everything but that private folder.
The current implementation which is way simpler still support the case where we forbid access to everything but the public folder (where everything could be added except the private data). So in short if we can organize the data a little bit we could avoid this complex issue completely.
So I would like to have your opinion on that.

[tlvu]

As @fmigneault described in comment Ouranosinc/pavics-sdi#111 (comment), this issue is to implement option 3.

Not sure how thredds layout will evolve in the future but if changes are infrequent, I guess we can go with option 2 so at least browsing is working for top-level and delay this major refactoring until it's really needed.

Just my opinion, don't know what @huard think.