Consultant accounts ― who can watch normal non-admin accounts

[nhoening]

We want to allow certain users to see what normal accounts can see.

Use case: Our customer is the supplier to a bunch of other (client) accounts on the server. They should have read-only access to some accounts. At least this is the first step. So they can oversee what happens, for instance for servicing questions and problems.

One easy way for this to happen is giving the account an account-role <client>-watcher or similar. If this role is present, our central auth policy (see e.g. #200) should wave them through if the permission is "read".

This is not thought-through sufficiently yet.

For instance, what if some of the super-account's users deal with one group of client accounts, some with others?