Ease up permissions check since it always does the right thing; just
force audit mode when a non-admin mucks with another persons account. Add check for "webonly" accounts and treat like other users that do not get an account on boss/ops. Check for users without any project membership, and create account with the guest group. This won't actually happen, but I made this change in case we decide to give widearea owners a real account. I think setgroups should get an equiv change at some point.