Currently User* pointers are checked in and out of the AuthorizationManager, by entities which want to access users. The AuthorizationManager will invalidate User*s if their underlying user document is modified. When this happens, consumers should return their User* and get an up to date copy. When the old User*'s refcount reaches 0, the AuthorizationManager releases its memory.

We should have an RAII type for Users. Then, consumers cannot forget to release the memory. It should be possible to load and remove these objects into UserSets, without ever letting ownership leak even for a moment.