research: Nerdpack data access cross-account

[devfreddy]

The workload account dictates the permissions for which users can see that workload.

Thinking about this scenario:

A 3rd party Nerdpack is deployed to master Account 1
Account 2 & Account 3 are sub-accounts of master Account 1
Account 2 is subscribed to the Nerdpack and is able to do so because it's a sub-account of Account 1 where it is deployed
Account 3 is not subscribed to the Nerdpack

Workload 1 has a workload.accountId of 2
Workload 1 contains entities from Account 2 & Account 3

The Nerdpack queries for all entities tied to Workload 1

Presumably only entities from Account 2 are returned. In order to return entities from Account 3 as well, the Nerdpack would need to be subscribed higher up the tree on Account 1.

From a UI perspective, we should do a diff on the accounts a Nerdpack/User combo has access to with the results from scopeAccounts on the workload collection to find the difference and inform the user "Hey, this Nerdpack cannot see the entities from Accounts [1, 2, 3] for this workload" and some recommendation for resolving.

This gets tricky, and may not be something we solve for a v1, but is worth noting and being mindful of.