Add an 'OR' option to @Access

[jskupsik]

We have a convenient@Access annotation, powered by AccessInterceptor.groovy, which supports a list of role names and requires a user to have all of those roles in order to get access to the tagged class or endpoint method.

We are missing a way of easily annotating an OR permission, where a user would be required to have at least one of the roles listed to access an endpoint.

[amcclain]

I would argue this would be the more useful / expected default behavior, given that the annotation takes a collection. I more commonly think of "adding roles to an ACL" where each role is granted access, vs. "specifying a list of roles where you must have all of them".

Not saying we should go and change the default, but we could consider it. I highly doubt there are many (any?) examples out there with multiple roles. We could provide a new way to spec the "AND" case and then release with a big changelog banner to call out the need for a quick code search.