Currently, it is possible to have multiple access control entries for the same role in the same access control list, e.g.
ROLE_USER read=true write=false
ROLE_USER read=false write=true
While it is possible to implement strategies for resolving contradicting ACEs (e.g. depending on order of occurence, more restrictive wins, etc.), there does not seem a valid use case where it would make any sense to actually allow multiple ACEs for a single role within the same ACL.
The goal of this task is ensure that there can be at most one ACE per role so that we don't need any strategies to handle and resolve conflicts that can occur when allowing multiple ACEs per role.
Don't allow this in Admin UI
Don't allow this via External API (or implement a merge strategy, but preferably disallow)
Don't allow this via any other endpoint that can ingest ACLs (or implement merge strategy)
Detection and migration of existing ACLs containing multiple ACE per role