Changes for SAML group lock self-managed

What does this MR do and why?

Solves https://gitlab.com/gitlab-org/gitlab/-/issues/38639 For Self-Managed Gitlab

With this change we have introduced Policy changes to disallow any group members other than Admin or group owners to add new members to a group in case its a subgroup of a Group that has SAML Group Links Configured

For project policy also changes have been made when Users are not allowed to share a project with other groups or invite members to a project created in a group in case setting SAML Group Lock is configured.

Screenshots or screen recordings

A new option for Lock Memberships for SAML Synchronization is added in Admin > Settings > General > Visibility and access controls

How to set up and validate locally

1. Login to the application as root user.
2. Enable SSO and enter some SAML Group Links for a group. I did this for Twitter group in my gdk setup.
3. Create a new group and assign the group one more user with role owner. Transfer this group as child group for the group you set up in step 2, In my case child group for Twitter group
4. Add a project to the child group or the Top level group
5. Go to menu Admin > Settings > General > Visibility and access controls and enable setting Lock Memberships to SAML Synchronization.
6. Observe as you login to application as the owner of the child group. You cannot Invite Members to the group.
7. Observe as you login as root user or admin of the parent group to the application you can invite members to the group.
8. Observe you cannot Invite Members to the Project created in step4

Screenshot for Invite Members button is visible in case setting is not enable \

Screenshot for Invite Members button being removed in case setting is enabled

Migration output