Allow Space Managers to onboard Space Developers

[colinjoy]

Issue

Following the "Best Practices for SAP BTP" guide on setting up your account model, you end up with orgs hosting multiple applications/projects that are separated in different spaces.
To allow project teams to manage their development teams autonomously, a Space Manager should be able to onboard/offboard a Space Developer without needing to involve a central team (Org Managers) as it poses a bottle neck and requires manual communication processes (email, dm ...).

Today, this is not possible, because no Space role can be assigned by the Space Manager, if the user to added does not have a role on the Org already (which the Space Developer cannot grant themselves).

From #3377 I understand that this is by design?

The V2 API assigned the organization_user automatically when assigning any org or space role to a user. V3 does not do so anymore (which is good).

Similarly, the documentation on "Orgs, spaces, roles, and permissions in Cloud Foundry" reads:

In the v2 Cloud Controller API, when an Org Manager gives a person an Org or Space role, that person automatically receives Org User status in that org. This is no longer the case in the V3 Cloud Controller API.

Expected result

A user with Space Manager role can grant/revoke Space Developer role for a space on a user who has no role in the parent Org yet.

Possible Fix

Differentiate between Org User role that is explicitly granted and Org User role that is granted implicitly by having a role in a child Space (so that "Implicit Org User role" can be cleaned up when the last Space level role is revoked).