572350 custom dashboard policy

What does this MR do?

Implements granular permission model for custom dashboards based on scope (organization vs namespace) and user roles.

Background

Following discussion in #572350, this MR defines and enforces the permission model for custom dashboards at both organization and namespace levels.

closes #572350 Related to #572348

Organization-Scoped Dashboards (no namespace_id):

• Create: Organization owners only
• Read: All organization members
• Update/Delete: Organization owners OR dashboard creator

Namespace-Scoped Dashboards (with namespace_id):

• Create: Developer+ on namespace (AND org member)
• Read: Reporter+ on namespace (AND org member)
• Update/Delete: Developer+ on namespace OR dashboard creator

Implementation Details

Policy Changes

OrganizationPolicy:

• :read_custom_dashboard - All organization members
• :create_custom_dashboard - Organization owners only

DashboardPolicy:

• Delegates to organization for base permissions
• Adds namespace-scoped permission overrides
• Enables creator retention (creators can always update/delete their own)

Permission Matrix

Scope	Role	Create	Read	Update	Delete
Organization	Owner	✅	✅	✅	✅
Organization	Member	❌	✅	❌	❌
Organization	Creator	❌	✅	✅*	✅*
Namespace	Developer+	✅	✅	✅	✅
Namespace	Reporter+	❌	✅	❌	❌
Namespace	Creator	❌	✅	✅	✅

Key Decisions

1. Role-based permissions - Tied to current role, not user identity
2. Creator retention - Dashboard creators retain update/delete rights even after role changes
3. Developer+ for namespace - Following Product Analytics precedent
4. Namespace permissions override - Namespace-scoped dashboards require namespace access, even for org owners
5. Organization owners restricted - Can only create org-scoped dashboards, not namespace-scoped (unless they also have Developer+ on that namespace)

Testing

• Comprehensive policy specs covering all permission combinations
• Tests for both organization-scoped and namespace-scoped dashboards
• License and feature flag enforcement tests