Make authorizer policies configurable
The authorizer should govern access to the resources (lists, subscriptions, keys) based on a per-list configurable set of capabilities.
When the keyword handlers also use the new controllers (!240 (merged)), these capabilities should replace the keywords_admin_only
option.