[BUGFIX] Make entity-only ACLs possible in PolicyService
The PolicyService would throw an exception in matches() if no method
configuration was defined in the ACL for a role. Now that per-entity ACL
configuration is possible, this is too restrictive.
Also cleans up the code.