More restrictive service user rights

[kwin]

Currently the (single) service user is used for almost all operations and grants full access to the repository.

set principal ACL for actool-service
    allow jcr:all on /
    allow jcr:all on :repository 
end

The permissions should be limited to what is actually necessary.

[kwin]

The necessary permissions differ by functionality:

1. Dumping Authorizables/ACLs
   • jcr:read on /home/users and /home/groups
   • jcr:readACL on /
2. Installing ACTool configurations
   • jcr:readACL and jcr:modifyACL on /
   • jcr:read and jcr:write on /home/users/ and /home/groups
   • potentially jcr:write anywhere due to initialContent
   • jcr:read inside configurationRootPath
3. Writing/Reading ACTool history
   • jcr:read/write on /var/statistics/actool and /apps/netcentric/achistory