Improve app access setting flow

Follow-up from !42 (comment 46903):

So I tried it again and this is my observation:

  1. Start with a user with no app access at all
  2. Set user admin role --> All app access roles are set to admin
  3. Set user user role --> All app access roles are still set to admin

This is concerning because when you don't pay much attention, and only focus on taking away user admin role for a user, the user would then still have admin roles for all apps.

So this means by setting the user admin role the app access roles are persisted to the db. I thought they weren't and the backend would just grant all admin users admin access on the fly, no matter what app access was configured. I'd like to hear a second opinion on the desired workflow here. @arie ?

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information