[Discovery] Reduce the number of site admins on Sourcegraph.com

[unknwon]

Outcome from evaluation (order does not matter, copied from JIRA):

• Move the license and subscription management (the “Business” section in the sidebar) out of dotcom instance
  • Why? A big chunk of site admins are added because it is currently an site-admin privilege to manage customer license and subscription.
• Move debugging endpoints (/-/debug) out of dotcom instance
  • The routes under /-/debug are commonly accessed for debugging issues on dotcom, including querying Prometheus metrics and viewing Grafana dashboards, along with some internal debugging info for each service instance. It is currently required to authenticated as a site admin for accessing these debugging endpoints.
  • We could also choose to implement RBAC (the next bullet) to address this concern.
• Implement/support RBAC for site admins on dotcom
  • Why? For debugging purposes, all engineers are likely needed site-admin privileges, which is typically an every-growing number. However, based on the team ownership, not all of engineers need to have write or sometime read access to every functionality in the site admin area (/site-admin).

Based on my discovery and feedback from the security team regarding sourcegraph.com is no longer part of the current session of SOC2 audit, the actual engineering work could/should be postponed due to other priorities.

[sourcegraph-bot-2]

Heads up @sourcegraph/iam - the "team/iam" label was applied to this issue.