Enforce that a Member can only be associated with Role if access_level matches

Background

The ~"group::authentication and authorization" team has been working towards enabling custom roles and permissions in GitLab. We started with a technical discovery, and from that, we had the following outcome:

1. create a new model Role with a 2 columns for now: base_access_level, download_code. Add association via Member#role_id (weight: 2)
2. enforce that a Member can only be associated with Role if access_level matches (weight: 2)
3. enforce Member#access_level cannot be changed if associated with a custom role (weight: 2)
4. create UI to edit the Role (weight: 5) / or just API as the description suggests (weight: 3)
5. edit ProjectPolicy: depending on the feature flag download_code should use the existing logic or evaluate it based on the Role associated with the user in that group hierarchy (weight: 3)
6. evaluate performance (we might want to involve groupscalability) and define next steps based on that

These tasks will allow us to enable us to evaluate performance constraints. This feature is not user facing.

Requirements

This is Second step based on the technical discovery:

enforce that a Member can only be associated with Role if access_level matches