Rethink "super admin" permissions model

[mlandauer]

First a quick definition of terms:

• An admin - a user of cuttlefish and who is part of team. They can only see things for apps connected to their team.
• A super admin - An admin can also be a "super admin" in which case they can see other teams and who is part of those teams.

The current permissions model is a bit of hack and not very thoroughly thought out. It was fine for a while but it feels like time to revisit it and think it through a bit more. When you're a super admin you can mostly just see what is in your team. When you look at emails it just shows you your team's apps and the emails associated with those.

You can also see other teams and who is a member of those. If you click through the apps from there you used to also be able to see the emails for those apps in the other team. This was essential the quick hack that allowed us to administer the site while not thinking through what we really need to be able to do more generally.

I see a few potential approaches:

• A super admin can see and do everything. The advantage of this is its simplicity. The disadvantage of this is that it is very hard for the super admin to seperate their "normal" admin activities from their super admin activities. For instance, when they look at emails they'll see all emails not just the ones in their team.
• A super admin has the rights to toggle their "super" mode on and off. When it's off they can't see anything else apart from their own team. It's as if they don't have super admin rights at all. When they switch it on they can see and do everything.
• Some hybrid of the two approaches above. Perhaps they can see other teams by default but can't view other teams' emails until they switch on "super" mode.

[mlandauer]

@jamezpolley I'd really appreciate your thoughts / feedback on this. Are there any other approaches worth considering? What would be the simplest to understand for the user and what would work best and give them the flexibility they need?