Create service account user type and associated scopes/policies

This issue encompasses many of the backend changes necessary for Service Accounts MVC.

Define service_account user type and update/create associated scopes. This issue will also entail policy updates for :log_in permission. Ensure users don't take billable seat at instance-level.

High-level thoughts on code changes needed:

1. Define a new user_type in https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/models/concerns/has_user_type.rb.
   • We will also need to define new scopes and update existing scopes to ensure this new user type isn't included where not desired.
2. Update global policy to indicate whether :log_in is permissible
   • Do we want these accounts to be able to sign-in? I don't think so, but if yes, we probably have other things we need to validate. What implications does allowing these users to sign-in have?
   • The question of sign-in also has implications to how tokens are then created for these service accounts. Either we need to allow creating the tokens similar to how we manage project/group access tokens now (don't need to sign-in to the user to do so) or just allow the account to have someone sign-in and create/manage tokens.
3. To delineate between instance-level service accounts and group accounts, we can probably re-use the provisioned_by_group attribute. This would mean if a service account is instance-level they would hav a nil provisioned_by_group while one created by a group would have that value populated.
   • I believe we will only allow service accounts to be created and tied to top-level groups, and not subgroups? The accounts can still be granted specific privileges at subgroup/project level but cannot be created there, presumably.
4. Ensure the user doesn't take a billable seat.