Add a way to set ACL per-entry, storing it in some additional security metadata so that only users belonging to certain roles can access it.