Document how Portfolio Access Control/ACL works now

[jakub-bochenski]

Current Behavior

I can't seem to find any documentation on this. The behavior isn't obvious as seen in this comment: https://github.com/DependencyTrack/dependency-track/issues/4828#issuecomment-2823359707

Maybe another important finding: I realized that when a new BOM is uploaded the newly created sub-project under an existing parent is automatically added to the allowed list of the team in portfolio access control. All further operations done by this team then seem to work fine. When I remove the sub-project from this team (keeping the permission on the parent) further access is forbidden. Same for other teams after initial upload that do not automatically get the sub-project in their "Portfolio Access Control" list but have it on the parent..

It's a shame you have to find out experimentally how it works now

Proposed Behavior

Access Control is documented

Checklist

• [x] I have read and understand the contributing guidelines
• [x] I have checked the existing issues for whether this enhancement was already requested