Restrict personal access tokens to specific groups

Following adding support to limit personal access tokens to a specific project https://gitlab.com/gitlab-org/gitlab-ce/issues/20993 we should add support for limiting them to groups too.

Add the ability to limit API access by personal access tokens to specific groups when creating a token.

In /profile/personal_access_tokens, allow a user to optionally specify which groups should be accessible when creating a PAT. A user should still be able to create a PAT scoped for all projects/groups.
- A user should be able to specify a single group or multiple groups.
The list of active Personal Access Tokens presented on this page should reflect the scope of the token (e.g. if applicable, the projects the PAT is scoped to).
- A user should be able to revoke from the list, as they're currently able.
This functionality will be used to build Group Level Access tokens.
We also plan to use this functionality to build a Group-specific Credential Inventory for Gitlab.com. A group administrator can remove their group from the scope of a users' PAT.

Edited Jan 04, 2021 by Melissa Ushakov