Improve group candidates resolution by Flowable IdM identity service.

[krausvo1]

This PR improves resolution of group candidates provided by Flowable IdM identity service and adds support for querying user's by their group membership.

[pavelhoral]

Had internal discussion and our previous change was not ideal - we would like to map worfklow groups to authorization roles, not managed roles. This should be changed. Also I would like to see more "defensive" approach in query implementations - implement only what we need and nothing else (throw exceptions, when unsupported filters or combination of filters is used).

[krausvo1]

I have made changes based on previous notes.

• When querying groups by member, we fetch the managed user and return its authzRoles as IdM groups.
• When querying users by group membership, we fetch the managed role and return its authzMembers as IdM users.
• Group query supports filtering by groupId, groupIds and groupMember. groupMember cannot be used together with any of the former parameters.
• User query supports filtering by userId and memberOfGroup; they also cannot be used together.
• I have also fixed assignee select in Admin UI broken by my changes in previous PR.