[BE] Validate propagation of policies when policy owner has restricted privileges

Why are we doing this work

• Whenever a policy is updated, we take the author of the MR that updates the policy as policy_last_updated_by. This user will be used to create/update approval rules, sync PEP metadata, and we pass the user to multiple downstream classes where scope the queries based on the user (for eg: in ApprovalGroupsFinder). We need to test all these scenarios.
• We need to test all scenarios to make sure that the returned data is not limited by the restricted permissions of the policy owner.
• (optionally) We can consider designating an instance admin as the CSP owner, but at minimum we should document that the policy owner needs to have access to all top-level groups.

Relevant links

Implementation plan

Verification steps

1. Create the CSP configuration as under-privileged user who doesn't have access to all top-level groups
2. Create policies with various approvers who are not invited to all top-level groups
3. Verify that policy-related structures are properly propagated and applied to all projects