Restore the ability of self-managed group level custom role creation

• In a recent group sync we realized we have introduced a breaking change, though it hasn't shipped in a version yet. Let's restore the change, so we can follow the proper path of deprecations.
• This change must ship in 16.9.

Implementation:

• Currently, a self-managed instance cannot create group-level member roles
• We will introduce a feature flag, restrict_member_roles which will be disabled by default. This way, self-managed instances will be able to create both group-level & instance-level member roles.
• Once the migration from group-level to instance-level roles is complete, we can turn on the FF, after which the intended behaviour to not allow self-managed instances to create group-level member roles will be restored.