docs: prefix-based access control guide

[jwhartley]

Summary

• Adds a new Access Control sidebar section, moving the existing "Authorizing Users" page there
• Adds a new guide: Prefix-based access control covering the four layers of sub-prefix isolation and three common scenarios

Context

Customers frequently ask how to restrict users and tasks to sub-prefixes (e.g. staging vs. prod, regional isolation). The existing auth docs explain capabilities conceptually but don't cover practical setup or the interaction between the four layers (user grants, role grants, storage mappings, data plane access).

This is raw content for @aeluce to take over — location, structure, and format are all up for grabs.

Scenarios covered

1. Default — single prefix, no isolation (what every new org starts with)
2. Environment isolation with cross-read — dev/prod where dev tasks can read prod collections
3. Full isolation — EU/US with separate storage, data planes, and per-user admin scope

Notes

• Technically reviewed against internal Slack threads with Johnny (confirmed accuracy of the four-layer model, grant additivity, longest-prefix-match for storage/data planes)
• Data plane UI visibility bug (RLS → GraphQL migration) is mentioned in a note
• Private link limitation is called out in the Limitations section

[github-actions]

🚀 Preview deployed to https://docs.estuary.dev/pr-preview/pr-2839/

📄 Changed pages:

• /reference/authentication/
• /guides/prefix-access-control/