This fixes a bug where maintainers of a
subgroup are unable to see a list of compliance
frameworks belonging to the root group.

We've split the :manage_compliance_framework policy in to two:

* :manage_compliance_framework for owners of root groups
  to add/update/delete compliance frameworks.
* :read_compliance_framework for _all_ users of
  a group namespace to allow them to read the details
  of a compliance framework.

There's no reason to hide this information from users
within a group as they will see the name, description,
pipeline configuration through the UI anyway.

Maintainers of subgroups that do not have owner access
to the root namespace will now no longer see an error in the
group settings page too.

Also changes the FrameworkResolver GraphQL resolver
to use :read_compliance_framework rather than
:admin_compliance_framework

EE: true
Changelog: fixed