audit the permissions required to modify a resource's policy

[davepacheco]

Creating this ticket for

omicron/nexus/src/db/datastore/role.rs

Lines 239 to 240 in b062e95

	// TODO-security We should carefully review what permissions are
	// required for modifying the policy of a resource.

(edit: this comment was removed under #2417 but the issue remains)

Internally, there's an explicit authz action for ModifyPolicy. Who should get it? Right now, it's precisely anyone who can modify the resource:

omicron/nexus/src/authz/oso_generic.rs

Line 211 in b062e95

Action::ModifyPolicy => Perm::Modify,

For resources covered by the roles policy test, you can see which roles are able to modify the resource's policy in this output file (the "MP" column):
https://github.com/oxidecomputer/omicron/blob/b062e95f5f917909b8c6d40200a4d0d80847694f/nexus/tests/output/authz-roles.out

We should make sure that's right.