Enable a consistent approach to AAA for AA0.5

For each application we must define and document, to facilitate review by our architect and our security team: a set of user groups, which are mapped on to the application's capabilities, which allow restriction of access based on roles (e.g. restrict roles to read-only access) a set of group managers (must be SKAO staff or associates) - these people will need to manage group membership. We favour smaller groups with well-defined membership. Groups can contain other groups in a hierarchy. timeouts - when do we lock a user's access and force re-authentication (with or without forcing an MFA token refresh)? This can be different for different applications - for applications like Binderhub with the most access, we expect shorter timeouts. activity logs: what user is running what command. Can be more minimal for lower-risk apps, and must be more extensive for higher risk apps. based on activity logs or other indicators, when do we freeze accounts, or raise an alarm/alert? a set of tests to show that you can gain appropriate access if in the correct group, and that access is denied if you are not in the correct group, ideally in an XRAY test plan showing successful test executions. See example mapping on Miro a set of tests to show we are validating tokens appropriately how tokens are acquired and stored and passed around