Add an `AccessPolicy.customized` field to tell if a user has customized one or not
Developers ship a default access policy and users can customize it. At some point later developers will need to adjust the default policy, but this should only happen if a user has not already customized it. Right now it would be difficult to determine if the user customized it or not.
Add a field to AccessPolicy called
customized which defaults to False. Any user change to the policy will set this to True.