Provide finer access control rules

[ramnivas]

Currently, we support access rules for query, create, update, and delete. However, they apply to both forms of APIs: single and bulk. We could offer a more fine-grained control. Along with #685, this could help reduce the exposed APIs.

An example:

@access(query=true) // current
@access(query={single=true, bulk=false, aggregate=false}

Given the new format, we could also rearrange to make the current access control override hierarchy explicit (here, update overrides mutation):

@access(mutation=..., update=...)

to

@access(mutation={default:..., update: ...}