Fix 0011530: Support multiple access levels above manage_user_threshold

Traditionally manage_user_threshold was thought of as being an absolute
global threshold which would allow any user the ability to modify any
other user account. Thus manage_user_threshold effectively had to be the
same as admin_site_threshold because users with manage_user_threshold
could just modify accounts to escalate their permissions to the maximum
level.

This patch prevents users from modifying accounts which have an access
level greater than their own. It also prevents users from creating
accounts with with access levels greater than their own.

Thus it is now possible to use manage_user_threshold as a separate
permission level to admin_site_threshold. Users with an access level
between manage_user_threshold <= user access level <
admin_site_threshold can no longer escalate their permissions or modify
the accounts of other users with a higher access level.