Improve support to create groups/users that have only editor/author role on a subset of the content

Currently, we bootstrap in the repository the following

1. If you are the holder of a draft you get 'readwrite' if you have userrole 'xm-content-author'
2. If you have userrole 'xm-content-author', you get readwrite on any unpublishable document

The above however is unhandy if you want to fine-tune access to content for specific users. The problem is that for downscoping access to a certain channel only, a user cannot have the role 'xm-content-author' : This role namely inherits 'xm-content-viewer' which is the global role giving read access to all content (/content).

Therefor, we need to configure the 'content-readwrite' domain differently as follows

1. Everybody, any user, who is the holder of a content item can write to the item. For this we introduce the userrole 'xm-content-holder' and add that userrole to the group 'everybody'. We'll configure this domain below 'publishable-content-readwrite'
2. Since assets/gallery does not have workflow (and thus never holder) , this domain will still be configured in 'content-readwrite' and will keep the global 'xm-content-author' userrole. Users with downscoped access to content won't have this 'xm-content-author' userrole and thus will require an explicit domain configuration to give readwrite to only certain subsection of gallery / assets