I see the AQL tool has a --file=/path/to/ddl option. Is this the recommended mechanism for automating access control (user, group) configuration on initial deployment? Is there a way to drop this file in a specific location on disk instead of using the AQL tool? Looking for best practices for automating access control.