should not be able to assign roles to users you can't see

[davepacheco]

The role assignment APIs should probably check that you've got privileges to see all the users to which you're assigning roles.

I'm assuming a few things here:

• the "fleet" will potentially have role assignments for users from multiple Silos (see https://github.com/oxidecomputer/rfd/tree/master/rfd/0234#3-alternatives-considered for why we abandoned the idea of an "operations silo")
• the "silo" will potentially have role assignments for users from multiple Silos (for bootstrapping and so that someone can fix the IdP config (if the IdP config is broken, nobody in the Silo can fix it by definition))
• the "organization" and "project" would only have role assignments for users in the current Silo in practice -- I'm not clear on whether we should enforce this

That means it has to be necessary to assign roles to users in different Silos. That's fine, but you probably should only be able to do that if you have privileges to see those users.