Create default RBAC that permits project members to create roles and rolebindings

[larsks]

We grant project members the edit role on projects, primarily because we don't want users to be able to modify quota resources.

Unfortunately, the edit role is restrictive in other ways -- in particular, it does not allow project members to create roles and rolebindings in their project (see nerc-project/operations#128).

This is going to be a relatively common operation, so we should probably ensure these privileges are granted by default.