Only group owners can set ldap overrides
LDAP overrides should only be set by group owners, not masters. This wasn't clear in the initial issue but it will be required for a large customer + an upcoming change to allow restricting group owners to administrators to ultimately restrict LDAP overrides by non-admin users.
This small change works, but I suspect it's not ideal. It seems the #additional_rules! method was only built with overriding master in mind, but in this case I need to override owner.
@jneen I think you worked on a lot of the permissions refactor. Do you have any suggestions here?
If all else fails, we could create an EE::GroupPolicy module to mixin like we've described for managing other CE/EE differences. I didn't want to jump in to that without exploring other options since it appeared #additional_rules! was built for the purpose of allowing EE overrides.