Allow granting agent user access across top level groups

Problem to solve

Currently projects and groups configured under user_access in the agent configuration file must belong to the same top level group as the agent configuration project. This is the same restriction that was in place for CI access prior to #377932 (closed), which allowed any project/group if the organization_cluster_agent_authorization_enabled application setting was enabled.

Proposal

Implement the same behaviour for user_access that currently exists for ci_access: any project or group can be specified if the organization_cluster_agent_authorization_enabled application setting is enabled.

The implementation will be very similar to !190769 (merged), except the changes will be in the user access code instead of CI access.

Feature Usage Metrics

Does this feature require an audit event?