Provisioned Accounts - Allow setting "Project limit" and "Can create groups" attributes

Release notes

GitLab administrators will have the option to modify attributes for users provisioned by their group's SAML or SCIM integration. In this first iteration, administrators can reduce the risk of accidental exposure of their intellectual property by preventing their users from creating groups or projects outside of groups they are not already members of.

Problem to solve

Enterprise customers want more control over accounts in their group. See &4786 for more information.

Proposal

For accounts that are being provisioned using SAML JIT, give administrators the option to create users that can only create groups/projects within their top-level group. To achieve this, we can allow administrators to set users will have a "Project limit" value to 0 and "Can create groups" to false.

This setting will only be forward-looking and effective on users created after this setting is enabled. We will have a separate issue to apply these values to existing users.