Add "manage group access token" as a customizable permission

Background

Today, only Owners can manage group access tokens. This, along with other permissions, make the Owner role have too much privilege, when other roles may not have enough.

Proposal

Add "Manage Group Access tokens" as a customizable permissions, so that it can be added onto any base role. Check implementation in this issue to see how it was done for Project Access Tokens.