Inky admin permissions - allow granular control

Super Admin is currently required for onboarding customers, which also grants full product access. This means 10+ engineers in an MSP need Super Admin, with most of the rest needing policy management (the second highest tier). Best practice is least-privilege access.

There should be more granular permissions:

• Separate role for user management at MSP level (internal IT owns this, not day-to-day support staff)

• Separate role for onboarding new customers (professional services/projects teams shouldn't need full admin)

• Separate permissions for mail security vs signature management (different staff, different skillsets)

• Granular control over viewing message bodies — currently restricted to Super Admin, but lower-level or custom roles should be able to view message content without full Super Admin access

• Ability to hide the Subject field by role — all roles can currently see subjects in analysis/observations message lists, and the recent "access denied" on restricted tenants doesn't prevent seeing subjects