Group level administrators

Problem statement

When GitLab is operating in a multi-tenant SaaS environment, for example GitLab.com, a top level group is the entity which an organization is given control over.

When this happens, they should be able to manage a variety of settings, like default permissions, audit logs, and other general maintenance and security activity.

Currently we don't have a dedicated role for this activity, and it is instead tied to the group Owner role (I think?). This role also grants read/write privileges to repos, which may be undesirable.

We should consider an administrator/auditor type role, which would be able perform these functions without the additional write access.