CLOUDSTACK-6560: IAM - Admin user is denied permission to create Egress rule for a user's network

Changes:
- CS 4.3 handled Network entity in two ways:
a) Specified "UseNetwork" access and did a strict check w.r.t who can use this network. Regular users and Domain Admin went through the strict check. Root admin got access always.
b) Specified "null" access and that meant admins can access this network for the calling API that passes null access.

- Fixing CS 4.4 IAM to handle this behavior:
a) "UseNetwork" is mapped to "UseEntry" and IAM check will be done only for domain admin and regular users when this access is specified. Root Admin is grated access.
b) If "null" access is specified, root and domain admin both are granted access. Regular users still go through IAM.

server/src/com/cloud/template/TemplateManagerImpl.java

@@ -1133,7 +1133,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
         }
 
         if (!template.isPublicTemplate()) {
-            _accountMgr.checkAccess(caller, null, template);
+            _accountMgr.checkAccess(caller, AccessType.ListEntry, template);
         }
 
         List<String> accountNames = new ArrayList<String>();

server/src/com/cloud/user/AccountManagerImpl.java

@@ -497,7 +497,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
                 && (accessType == null || accessType == AccessType.UseEntry)) {
 
             for (ControlledEntity entity : entities) {
-                if (entity instanceof VirtualMachineTemplate || entity instanceof Network
+                if (entity instanceof VirtualMachineTemplate || (entity instanceof Network && accessType != null && (isDomainAdmin || isResourceDomainAdmin))
                         || entity instanceof AffinityGroup || entity instanceof SecurityGroup) {
                     // Go through IAM (SecurityCheckers)
                     for (SecurityChecker checker : _securityCheckers) {