[RHCLOUD-44341][RHCLOUD-44341] Add prod role_binding permissions to RBAC and Inventory roles

[lpichler]

Link(s) to Jira

Description of Intent of Change(s)

Adds role_binding resource permissions (view, grant, revoke) to the prod environment configuration (mirrors stage PR #746):

1. RBAC permissions (rbac.json): Registers the new role_binding resource with view, grant, and revoke verbs
2. KSL schema (rbac.ksl): Adds corresponding workspace relations with @add_unified_permission annotations
3. Inventory roles (inventory.json):
   • Inventory Groups Administrator (Workspace administrator): Granted view, grant, and revoke permissions for full role binding management (version 5 → 6)
   • Inventory Groups Viewer (Workspace viewer): Granted view permission for read-only access to role bindings (version 5 → 6)

These permissions enable workspace-level role binding management for Inventory service users in production.

Local Testing

• Verify the JSON configs are valid
• Verify the KSL schema compiles
• CI will validate schema generation and run SpiceDB validation

Checklist

• if API spec changes are required, is the spec updated?
• are there any pre/post merge actions required? if so, document here.
• are theses changes covered by unit tests?
• if warranted, are documentation changes accounted for?
• does this require migration changes?
  • if yes, are they backwards compatible?
• is there known, direct impact to dependent teams/components?
  • if yes, how will this be handled?

Secure Coding Practices Checklist Link

• https://github.com/RedHatInsights/secure-coding-checklist

Secure Coding Practices Checklist

• Input Validation
• Output Encoding
• Authentication and Password Management
• Session Management
• Access Control
• Cryptographic Practices
• Error Handling and Logging
• Data Protection
• Communication Security
• System Configuration
• Database Security
• File Management
• Memory Management
• General Coding Practices

🤖 Generated with Claude Code