Turns out the service role support doesn't quite work,
because you could not enumerate nodes regardless of node
owner or lessee in order to enable services like Nova to
enumerate nodes to be able to schedule upon them, or
networking-baremetal to enumerate ports in update mapping
in Neutron.
So this change enables permissions to be modified to allow
service project users with the service role to enumerate the
list of resources, and grants rights similar to "system scoped
members" to the service project's users with the "service" role
which aligns with update actions to provision/unprovision nodes.
Adds some additional rbac testing to ensure we appropriately
covered these access rights.
Closes-Bug: 2051592
Change-Id: I2b4bcc748b6e43e4215dc45137becce301349032
0313ce26b5