Implement access management

[uniqueg]

Is your feature request related to a problem? Please describe.

Currently, access to cwl-WES is granted to everyone with a valid bearer token, provided that the authorization_required option is enabled in the app configuration (cwl_wes/config/app_config.yaml). However, resources are only restricted inasmuch that users can only perform GET operations on workflow runs they have created themselves via POST /runs. To protect cwl-WES resources from unprivileged users, access to both POST and GET methods on /runs and derived endpoints should be granted only if a given user has the necessary permissions.

Describe the solution you'd like

Ideally, access management should follow the GA4GH Passport specification to ensure that only privileged users can access resources.

Users are granted access to a resource only if their token contains the necessary visa.

Describe alternatives you've considered

Alternatively, or in addition, an access control management endpoint should be designed that allows devops/system admins to set permissions individually for each user and/or user groups (e.g. ELIXIR AAI groups).

Additional context

N/A