Add a page under modeling around how to deal with object creation

[rhamzeh]

We get a lot of questions around how to deal with the can_create_x permission - whether to add it on the x type or somewhere else.

We should add our recommendation of adding it on an upper type

Some context:

Normally when you are creating an object, you are creating it in the context of something - e.g. create a document in a folder, a team in an org, a photo in an album.
What happens if the thing exists outside of that e.g. can the user create an org? In those cases, our advice is to create a top level system object, as you can attach the create permission on that as well as attach other functionality to it.
You can find an example of that in our experimental access control for OpenFGA where can_call_create_store lives under system.

Similar & related questions from the CNCF Channel:

https://cloud-native.slack.com/archives/C06G1NNH47N/p1740011641126949
https://cloud-native.slack.com/archives/C06G1NNH47N/p1722965268391039
https://cloud-native.slack.com/archives/C06G1NNH47N/p1722965001795339
https://cloud-native.slack.com/archives/C06G1NNH47N/p1712581174806949
https://cloud-native.slack.com/archives/C06G1NNH47N/p1718961169696129