Pre-selected permissions based on base default role

Summary

When creating a custom role and selecting a base role, permissions can become pre-selected to make it easier to fill out.

Proposal

• Preselected based on project-level permissions.
• To scale, future permissions that are added should be validated to ensure pre-selection is maintained. For example, if two new permissions are added by a contributor, these permissions will become pre-selected if aligned with a project level role. With the exception that if a project maintainer<>group maintainer are different, these permissions should not be preselected.

Reporter - Preselect

• Read code

Planner - Preselect

• Permissions above ☝️

Developer - Preselect

• Permissions above ☝️ +
• Read crm contact
• Read dependency
• Read vulnerability

Maintainer - Preselect

• Permissions above ☝️ +
• Admin terraform state
• Admin vulnerability
• Admin integrations
• Manage project access tokens
• Read runners
• Push rules

The following permissions are not selected as this contains Owner privileges or the Project Maintainer to Group Maintainer are not equivalent.

• Runners
• Deploy tokens
• Merge request settings
• Compliance frameworks
• Group access tokens
• Security policy links
• CI/CD variables
• Manage group members
• Approval

Design (linked here)

• For permission pre-selected from default role, select and disable check boxes, add a badge with text "Added from <default role>"
• When maintainer is selected in base role, show helper validation text: The default Maintainer role contains permissions scoped only to a project. To customize this role with equivalent permissions across groups and projects, you must explicitly select the permission again.
• Replace sub text under base role, from pre-existing static role to default role in base role drop down information text