Add new StaffWithRestricted patron type

[kenoir]

What does this change?

In order to better restrict who has access to certain images, this change adds a new patron type for staff that should have access to restricted images (reducing this from all staff to only staff with this role).

This change will require an update to the IIIF API mappings here: https://github.com/wellcomecollection/iiif-builder/blob/main/src/AuthTest/AuthTest/Controllers/HomeController.cs#L38, requested in Slack. The new mapping should allow only StaffWithRestricted access to restricted images.

Related: https://github.com/wellcomecollection/iiif-builder/pull/270

In addition this will require an update to the OpenAthens configuration that currently uses the Staff role from Auth0 to distinguish who should have access to certain journals. New configuration will need to include also the StaffWithRestricted type. See the #wc-open-athens Slack.

For https://github.com/wellcomecollection/identity/issues/400

Part of: https://github.com/wellcomecollection/platform/issues/5747

How to test

• [x] Run the tests, do they pass?
• [x] Deploy this change, ask a test user to login - is their patron type updated in Auth0?
• [ ] When the IIIF API changes have occurred, can only the new staff type get access to restricted images?

How can we measure success?

Only staff users who need access to restricted images should have access to those images.

Have we considered potential risks?

We are changing authentication for some users, but this should reduce permissions for staff rather than increase it. We should see if we can test this change on stage before releasing.

[kenoir]

Closes: https://github.com/wellcomecollection/identity/issues/400