Handle more complex resource level permission requests

[shevron]

Currently we are only handling resource level scope requests of the form:

res:myorg/mydataset/*

We are not handling the following cases:

• Specific resource ID specified, with or without org / dataset IDs
• "All resources" type requests (e.g. res:myorg/mydataset/) - do these even make sense? Perhaps for create and list actions.
• Requests of the form res:myorg/*/* - i.e. act on any resource of any dataset in the organization. Do these even make sense to set up by default?