Make custom admin role work for SaaS for dogfooding

When running in SaaS mode the "Roles and Permissions" configuration is only available in groups but in self-managed it is accessed from the admin settings. This makes sense in SaaS because we do not want to have custom roles created at the instance level that can be used by any other users.

For admin roles, however, there is a use case where we would want to assign custom admin roles to Gitlab employees so that they are enabled to perform the functions of their role without having to grant full admin access to the instance. In order to do so, we need to make the custom roles setting available to the admin area but only for the support of admin-related custom roles.

We have a lot of dogfooding opportunities for custom admin roles in SaaS:

• Credit card verification uses custom admin token to render the credit card form
• PVS has an admin token
• Omamori has an admin token
• Trust and Safety users might benefit from a custom role that allows read_admin_users as well as the ability to ban/unban users.