Allow for ACL's on functionality/tiles to support segregation of duties

Hello, 

I think it would be very valuable to define ACL's at a level that are more related to the activities that different users may have. Axiom contains more granular functionality, but I think Canary Admin would hugely benefit of something like this.

For example, based on the following groups that can be defined (just a proposal, not a full solution!):

• Administrators: should have full view of all functionality in Canary Admin and Axiom (as I believe it does now). 
• Configurator / Engineering: should be able to see/modify settings in Canary Admin for collectors (OPC, SQL, CSV...), Views, Calcs and Events, Store and Forward and Historian. This user should never be able to see Services, Licenses, Identity, etc. 
• Audit: should be able to see Messages only (for example).
• Supervisors: should be able to consume Axiom reports and create them. 
• Operators: should be able to ONLY consume Axiom reports. 

There may be other flavors of this, the above is just a proposal based on the type of roles that may exist on a plant. This facilitates segregation of duties as a principle supported by regulations. 

Let me know what you think of this. 

Thanks