MB-46113: Restrict sync gateway architect role

Removed access to certain permissions for the
sync_gateway_configurator role as well as move the sync gateway
dev_ops permission to the top level cluster-wide permission instead of
being located under collections like the rest of the permissions.

Change-Id: I475b03191a5466c2625a27cc3892e0ff94c99e45
Reviewed-on: http://review.couchbase.org/c/ns_server/+/158962
Tested-by: Bryan McCoid <[email protected]>
Tested-by: Build Bot <[email protected]>
Well-Formed: Build Bot <[email protected]>
Reviewed-by: Steve Watanabe <[email protected]>

Author: bryandmc

src/menelaus_roles.erl

@@ -593,7 +593,10 @@ sync_gateway_roles(true) ->
        {desc, <<"Can manage Sync Gateway databases and users, "
                 "and access Sync Gateway's /metrics endpoint. "
                 "This user cannot read application data.">>}],
-      [{[{collection, ?RBAC_COLLECTION_PARAMS}, sgw], all}]},
+      [{[{collection, [any, any, any]}, sgw, appdata], none},
+       {[{collection, [any, any, any]}, sgw, principal_appdata], none},
+       {[{collection, [any, any, any]}, sgw, replications], none},
+       {[{collection, ?RBAC_COLLECTION_PARAMS}, sgw], all}]},
      {sync_gateway_app, ?RBAC_COLLECTION_PARAMS,
       [{name, <<"Sync Gateway Application">>},
        {folder, mobile},
@@ -624,7 +627,7 @@ sync_gateway_roles(true) ->
        {desc, <<"Can manage Sync Gateway node-level configuration, "
                 "and access Sync Gateway's /metrics endpoint "
                 "for Prometheus integration.">>}],
-      [{[{collection, [any, any, any]}, sgw, dev_ops], all},
+      [{[sgw, dev_ops], all},
        {[admin, stats_export], [read]}]}];
 sync_gateway_roles(false) ->
     [].