Implement RBAC with Roles and Groups

Add role-based access control using FusionAuth roles and groups.

• Define role hierarchy and permissions model
• Configure roles in FusionAuth (system of record)
• Implement permission checks in Portal API based on user roles
• Support group-based role assignment (users inherit roles from groups)
• Extend Users & Access app to manage:
• Users (view, invite, deactivate)
• Roles (view, assign to users/groups)
• Groups (create, edit, manage membership)
• All management operations call FusionAuth Admin API

Open questions:

• What roles are needed initially? (Admin, Manager, User, etc.)
• What permissions map to each role?
• Are roles organization-scoped or global?