Allow non-superuser admins to create new API sub-scopes #135
Description
With the new admin permissions system rolling out, there's the concept of API scopes that admins can be granted access to. For example, I could be granted full access to just the api.data.gov/nrel/ scope. This means I could manage or create any APIs within api.data.gov/nrel/*, but I could not create or mange APIs anywhere else (so api.data.gov/something-else would be off limits).
Right now, only superusers can create API scopes (defining what hosts/paths agencies have ownership over and setting that up will be part of getting new agencies setup). However, in the future, it might be handy if agencies admins could then define their own sub-scopes, as long as it's within their current scope. So, for example, if I have ownership over the api.data.gov/nrel/ scope, then I could create a new api.data.gov/nrel/transportation scope and then I could create new admin accounts that only had access to that area. This would allow a higher-level admin at an agency to segment off and manage their agency's permissions themselves.
Right now, I think the API scopes will predominantly be used by the api.data.gov team to setup initial API scopes for new agencies (since we need to be involved in at least the very first step of picking what host and path each group has ownership over). However, if there's demand for agencies managing these types of permissions and sub-scopes themselves, allowing them to do so is certainly doable. Most of the pieces to do this are already there, we just need to allow these users to create new API scopes, but ensure the new scope is a child of their current scope.