Extend the organizational policy to support organizational agent authorization rules

MR: Pending

Description

We would need to create a new rule allowing only admins who are organization owners access to create an instance-wide mapping.

We would need to create a new rule allowing only organization_users access to read an instance-wide mapping.

Introduce the rule admin_organization_cluster_agent_mapping that should succeed when the user is an admin who is an organization owner in the Organization subject
Introduce the rule read_organization_cluster_agent_mapping that should succeed when the user is a user in the Organization subject or an admin
Add unit tests to this policy extension to cover all appropriate permission test cases, preferably using a test matrix, see the existing specs on the namespace authorization for context.