Allow policy enforcement on the target of an API, not just its parameters

Today we support policy enforcement on any items that are passed into an api call, even the individual fields of an object. However, there are times when you want to enforce policy on the object the api is operating on (for example on DELETE).

A classic example would be having a domain admin that has the responsibility for managing users in a given domain. A cloud provider would want to be able to set the policy file so that such a domain admin could ONLY manage users in the appropriate domain. Today this works for create user since we pass the whole object into the call (and domain_id is a field of the user object), but won't work for update/delete - since the whole user object isn't passed into the call. In fact we want to enact the policy on the target of the api call, not on the parameters passed into it.

We should also support the protection of role assignments in the same way, e.g. being able to specify that an api caller can only modify a role assignment where the domain_id of the actor (e.g. user or group) of the role assignment is the same as the scope of the caller. This enables the division of administration between, say, a cloud administrator and a domain administrator.

This may not require a change to the policy engine, but would require us to change how we call it for our protected apis.