allow secret keys to be edited while role members exist

[joel-bluedata]

Currently this is prevented by the validator.

I think there's no fundamental reason we need to disallow this, but we should discuss.

Also: would a change to the secret keys need to have an associated startscript notification?