ACLs pipes could be great, with following feature:
- .allow(userName) (default allow jcr:all on currentResource to userName, can be overriden with jcr:privilege=... property),
- .deny(userName) (default deny jcr:read on currentResource to userName, can be overriden with jcr:privilege)
- .acls() will return current resource, with in output bindings array of ACLs mentioning principal, privilege of that resource. If current resource is an authorizable, and if some flag is set to true, then returns ACLs attached to that user in the repository.