implement a permissions model?

[bacongobbler]

Typically, a hosted cloud platform has you log in with your account, create applications, upload personal security keys, some form of user/group management etc. Right now, anyone with credentials can log into the system and create/read/update/delete anything that has been created by any user.

If we were to implement some form of permissions model, how would that look?

Areas to consider:

• are there personal settings (like security keys) that should be tied to a single user?
• should we create a notion of a "group" that users can be invited to and create applications in that group? How do we handle creation/updates/invitations/deletion? I'm thinking specifically the relationship between Github orgs and repositories vs. personal repositories.
• because we push artifacts to bindle, can we figure out a user story to lock down read/write access to certain namespaces/bindle IDs within bindle?
• is there a way we can sign/verify bindles to catch unsigned or unverified bindles from being deployed to nomad?