Show we allow changes to be made to permissions belonging to the Admin group? By default this is disabled to
prevent accidental tragedy, but you can enable it here when creating the default entry for `Admin`.

Show we allow permissions entries like `/`? By default, this is disallowed, but you can temporarily disable it here
when creating the default entry for `Admin`.

Inputs: [database-or-id :- MapOrID]
Returns: ObjectPath

Return the native query read/write permissions path for a database.
 This grants you permissions to run arbitary native queries.

Inputs: [database-or-id :- MapOrID]
Returns: ObjectPath

Return the permissions path for a database that grants full access to all schemas.

Check that the revision number coming in as part of NEW-GRAPH matches the one from OLD-GRAPH.
This way we can make sure people don't submit a new graph based on something out of date,
which would otherwise stomp over changes made in the interim.
Return a 409 (Conflict) if the numbers don't match up.

Inputs: [collection-or-id :- MapOrID]
Returns: ObjectPath

Return the permissions path for *read* access for a `collection-or-id`.

Inputs: [collection-or-id :- MapOrID]
Returns: ObjectPath

Return the permissions path for *readwrite* access for a `collection-or-id`.

Grant read access to a Collection, which means a user can view all Cards in the Collection.

Grant full access to a Collection, which means a user can view all Cards in the Collection and add/remove Cards.

Grant full access to the database, including all schemas and readwrite native access.

Grant full readwrite permissions for `group-or-id` to database with `database-id`.

Grant permissions to `group-or-id` to an object.

Grant full permissions for all schemas belonging to this database.
This does *not* grant native permissions; use `grant-native-readwrite-permissions!` to do that.

Inputs: []
Returns: PermissionsGraph

Fetch a graph representing the current permissions status for every Group and all permissioned databases.

Implementation of `IObjectPermissions` for objects that have a `collection_id`, and thus, a parent Collection.
 Using this will mean the current User is allowed to read or write these objects if they are allowed to read or
write their parent Collection.

Does PERMISSIONS-PATH grant access full access for OBJECT-PATH *or* for a descendant of OBJECT-PATH?

Does PERMISSIONS-PATH grant *full* access for OBJECT-PATH?

Is PERMISSIONS-SET a valid set of permissions object paths?

Log changes to the permissions graph.

Inputs: ([database-or-id :- MapOrID] [database-or-id :- MapOrID schema-name :- (s/maybe s/Str)] [database-or-id :- MapOrID schema-name :- (s/maybe s/Str) table-or-id :- MapOrID])
Returns: ObjectPath

Return the [readwrite] permissions path for a Database, schema, or Table. (At the time of this writing, DBs and
schemas don't have separate `read/` and write permissions; you either have 'data access' permissions for them, or
you don't. Tables, however, have separate read and write perms.)

Schema for a valid permissions path to an object.

Entity for 'permissions' table; instance of PermissionsInstance.

Inputs: [this :- {:collection_id (s/maybe su/IntGreaterThanZero), s/Keyword s/Any} read-or-write :- (s/enum :read :write)]
Returns: #{ObjectPath}

Implementation of `IModel` `perms-objects-set` for models with a `collection_id`, such as Card, Dashboard, or Pulse.
This simply returns the `perms-objects-set` of the parent Collection (based on `collection_id`), or for the Root
Collection if `collection_id` is `nil`.

Revoke all access for `group-or-id` to a Collection.

Remove all permissions entires for a DB and *any* child objects.
This does *not* revoke native permissions; use `revoke-native-permssions!` to do that.

Revoke all native query permissions for `group-or-id` to database with `database-id`.

Revoke all permissions for `group-or-id` to object with `path-components`, *including* related permissions (i.e,
permissions that grant full or partial access to the object in question).


  (revoke-permissions! my-group my-db)

Inputs: [permissions-set :- #{UserPath} object-paths-set :- #{ObjectPath}]
Returns: s/Bool

Do the permissions paths in PERMISSIONS-SET grant *full* access to all the object paths in OBJECT-PATHS-SET?

Does PERMISSIONS-SET grant *full* access to object with PATH?

Inputs: [permissions-set :- #{UserPath} object-paths-set :- #{ObjectPath}]
Returns: s/Bool

Do the permissions paths in PERMISSIONS-SET grant *partial* access to all the object paths in OBJECT-PATHS-SET?
 (PERMISSIONS-SET must grant partial access to *every* object in OBJECT-PATH-SETS set).

Does PERMISSIONS-SET grant access full access to object with PATH *or* to a descendant of it?

Inputs: ([new-graph :- StrictPermissionsGraph] [ks :- [s/Any] new-value])

Update the permissions graph, making any changes necessary to make it match NEW-GRAPH.
 This should take in a graph that is exactly the same as the one obtained by `graph` with any changes made as
 needed. The graph is revisioned, so if it has been updated by a third party since you fetched it this function will
 fail and return a 409 (Conflict) exception. If nothing needs to be done, this function returns `nil`; otherwise it
 returns the newly created `PermissionsRevision` entry.

Schema for a valid permissions path that a user might possess in their `*current-user-permissions-set*`. This is the
same as what's allowed for `ObjectPath` but also includes root permissions, which admins will have.

Does OBJECT-PATH follow a known, allowed format to an *object*?
(The root path, "/", is not considered an object; this returns `false` for it).