domain: add Identity & Access entities (User, Role, Permission, Group)

crates/domain/tests/entities/permission.rs

@@ -0,0 +1,19 @@
+use domain::entities::permission::{
+    admin_permissions, contributor_permissions, viewer_permissions,
+    Permission, PermissionAction, ResourceType,
+};
+
+#[test]
+fn admin_is_superset_of_contributor() {
+    let admin = admin_permissions();
+    let contrib = contributor_permissions();
+    assert!(contrib.is_subset(&admin));
+    assert!(admin.len() > contrib.len());
+}
+
+#[test]
+fn viewer_cannot_write() {
+    let viewer = viewer_permissions();
+    let write = Permission::new(PermissionAction::WriteMetadata, ResourceType::Global);
+    assert!(!viewer.contains(&write));
+}