No way to create AssetUsage rows from the client

debusine asset create allows creating Asset rows in a workspace (so it can't be used for instance-wide debusine:cloud-provider-account assets, but that isn't relevant for the purposes of this issue). However, it doesn't create a corresponding AssetUsage row to make it possible to actually use the new asset, and there's also no analogue of debusine-admin asset grant_role, so as far as I can see it isn't yet possible to effectively create assets from the client side except for special cases where AssetUsage doesn't matter. I wonder if that's an oversight.

We could simply add equivalents of debusine-admin asset list_roles, debusine-admin asset grant_role, and debusine-admin asset revoke_role; assets already define a can_manage_permissions permission, so I don't think that would involve any major new design work.

However, even without adding those new commands, I wonder if we should at least make debusine asset create create an AssetUsage row for the new asset in the given workspace without any roles. AssetPermissionCheckView.post denies all permissions if there's no such AssetUsage row, but even without assigned roles it's possible for an asset permission check to pass due to role implications: for example, we implicitly grant the REPOSITORY_SIGNER role to workspace owners, and I think it might make sense to do that for other new asset roles as well such as the one that would be needed for #1251 (closed). The update_suites workflow creates a "blank" AssetUsage row for the signing keys that it creates for exactly this reason.

@stefanor, does this sound right to you?