Generate custom permission for Protected Environments

What does this MR do and why?

Issue Link - #471385 (closed)

This MR adds a new custom permission called admin_protected_environment for managing protected environments.

This has been implemented behind a new feature flag, which is disabled by default, to accommodate the REST and GraphQL API changes in subsequent merge requests.

Screenshots or screen recordings

project-level-access-control

group-level-access-control

How to set up and validate locally

0. You must be on an ultimate license to test this feature.

1. You need to have SaaS mode turned off with export GITLAB_SIMULATE_SAAS=0 to be able to access the Roles and Permissions page, /admin/application_settings/roles_and_permissions .

Note - If you have SaaS mode on, then you can only access the Roles and Permissions page of a group, not the instance-wide page

2. In the Rails console, enable the feature flag:

   Feature.enable(:custom_ability_admin_protected_environments)
   

3. Visit the Roles and Permissions page

4. Ensure you can see a new permission Manage Protected Environments

5. Create new roles with the base role as Guest/Planner/Developer/Reporter and add the custom permission Manage Protected Environments.

6. Test if the custom permission is working correctly:

   Test at Group Level

   • Log in as the Group owner.
   • Add a new member to the Group with the newly created role.
   • Log in as the new member and visit: Groups → group-name → Settings (left sidebar).
   • The CI/CD option will be available, and you can CRUD protected environments.

   Test at Project Level

   • Log in as the Project owner.
   • Add a new member to the Project with the newly created role.
   • Log in as the new member and visit: Projects → project-name → Settings (left sidebar).
   • The CI/CD option will be available, and you can CRUD protected environments.