Remove allowed actions only on auth service host

[stevenGravy]

What would you like Teleport to do?

User retrieval and system alerts use the check hasBuiltinRole(types.RoleAdmin) which only allows doing within the auth host to perform something. This prevents both cloud and users that do not have host access to perform certain functions even with full resource rbac rights.

if !a.hasBuiltinRole(types.RoleAdmin) {

We also do not document this server admin functionality which causes further confusion.

What problem does this solve?

Allows remote administration for areas previously limited to auth host access only. This is not available for cloud users and stops presenting undocumented errors.

If a workaround exists, please include it.

User has be to bo on the host to perform.

[webvictim]

Relevant: https://github.com/gravitational/teleport/pull/42910

[deusxanima]

Seeing more need for this in context of Windows desktop connection troubleshooting. At the moment, per the docs update in the last comment, it isn't possible to have Teleport sign client certs for Windows to help manually validate correct CA configuration and propagation on the AD side.