Service accounts

This adds the concept of "service accounts" to castellum. Those are just regular user accounts with few key differences:

• they can be controlled by other users
• their effective permissions are the intersection of their own permissions and those of the controller
  • this also means that their effective privacy level is the minimum of their own privacy level and that of the controller
  • the single exception is access_study: service accounts can access all studies that the controller can access
  • if a service account is currently not controlled, it does not have any permissions
• the controller is mentioned in monitoring logs
• they cannot be added as study members

The idea is to use these accounts for API access. By linking it to a regular user, we still have full accountability.

By combining this with !1986 (merged) it is possible to create general domains that can be accessed by a service account but not by regular users (assuming we do not use the same intersection we use for permissions).