[Fleet] Allow read-only access to integrations

[mostlyjason]

We'd like to improve the experience for users of the integrations app when they don't have full privileges to Fleet. Today, users see an error message saying "You are not authorized to access Integrations. Integrations requires superuser privileges."

Since the integrations app is becoming a unified integrations page, users should not need a superuser role or access to Fleet in order to see the list of integrations. Analysts with read-only access will also appreciate a way to see the integration documentation and out of the box assets like dashboards. It will also allow us to showcase all the integrations we offer to help users discover new business cases.

For context, we already provide a way to control access to Fleet and Integrations through Kibana privileges. Administrators enable read only access by selecting "Read" for Fleet & Integrations. Selecting the Read privilege has little effect today since we also require the superuser role to use the app, which overrides the Read limitation.
.

We'd like to update the integration app to provide read only access if the user either has the Read privilege in Kibana or the All privilege but lacks the superuser role.

Users with read-only access can see:

• The integrations page (already provided today, but remove the superuser check)
• The Browse tab and the list of integrations
• The Manage tab and installed integrations
• View the integration detail page, overview and assets tabs

They cannot see:

• The add integration button
• The policies or settings tabs on the integrations detail page. These contain controls and sensitive information that we need to limit.
• Integration updates on the manage tab. These users are not able to upgrade integrations.
• The Fleet app. This contains controls and sensitive information that we need to limit.

They should not be able to add or edit integration policies in Fleet. We don't want these users to be able to add packages, update potentially thousands of hosts, or have access to sensitive information like enrollment tokens, access credentials, or be able to collect arbitrary data from hosts.

Out of scope:

• Splitting the Integrations and Fleet privileges. We'll do that as part of a broader RBAC update in a later phase. Users can still provide access to the Integrations app without Fleet by not offering a superuser role.
• Removing the superuser requirement to add/edit integrations or view Fleet. We're discussing that in a separate workstream here https://github.com/elastic/obs-dc-team/issues/496

[mukeshelastic]

@mostlyjason It will be great if we can separate out the rationale for this use case from the user journeys and then double down on writing the user journeys in as much as detail as possible. Given this has some relations to RBAC, it may make sense to write these journeys in a google doc and then get more feedback from our consumer teams before we head down to design.

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)