Realms

Tracked as SYNCOPE-119.

This topic dates very early in Syncope's history (the mail thread referenced in the issue mentioned above was started in 2011, even before entering the incubator).

Fundamentally, it is intended as a proper replacement for the current authorization mechanism, which is in place since almost the beginning, based on the concept of role entitlement.

The idea is to introduce the concept of realm - widely employed elsewhere as a mean to define security constraints in order to restrict access to shared 'resources'.

Summarizing the changes:

1. Create the new Realm entity, with the following characteristics:
   1. has a name and a parent realm (except for the pre-defined root realm, which is named '/');
   2. will be either leaf or root of a sub-tree of realms;
   3. is uniquely identified by the path from root realm, e.g. /a/b/c identifies the sub-realm 'c' in the sub-tree rooted at 'b', having in turn 'a' as parent realm, directly under root realm;
   4. optionally refers to account or password policies;
   5. has optionally users and / or roles assigned.
2. Update the Role entity by
   1. removing inheritance;
   2. removing references to account or password policies;
   3. adding reference to a realm: each role of a sub-realm will also be role of its parent realm.
3. Update the User entity by
   1. adding reference to a realm: each role of a sub-realm will also be user of its parent realm.