Write functional tests to verify that permissions are being applied correctly.

This spreadsheet describes a list of actions that can be taken on the Automation Hub API/Pulp APIs as well as a list of roles in the system and the associated actions that each role can perform. For each role listed here we need a test that verifies that the group with the role CAN perform the actions listed on it and CANNOT perform the actions that are not listed.

These tests are intended to be simple. The only thing that needs to be verified is that the operation fails when the user doesn't have permissions and succeeds when they do. The integrity of the API responses doesn't matter.

The list of roles is broken into two groups: "global" and "global and object". Global actions apply to all objects of a type (ex: every single container namespace). Object actions can only be taken on a single instance of an object (ex: namespace foo.bar). For actions that need to be tested with global roles, the role must be applied globally to the group and then the action must be taken on an object where the user doesn't have object permissions. For object permissions, a group with no global permissions must be granted object permissions on the object.

Example: 
To test "change collection namespace" with global and local permissions:

• create namespace ibm
• create group ibm-devs
• grant group ibm-devs the galaxy.namespace_owner permission on ibm
• attempt to change the namespace with a user in the ibm-devs group
• create group content-admins
• grant group content-admins the galaxy.namespace_owner globally
• attempt to change the namespace with a user in the content-admins group