Add security and permissions for custom cohorts

[mitalia]

There need to be some controls around who can create, modify, and view/use cohorts. View in this context means see allele frequencies for variants, similar to what is done now. I suggest the following approach:

Project cohorts: People with a project manager role (likely needs to be created) can add, edit, and delete project-level cohorts. All members of a project can see these cohorts and use them in queries

Public cohorts: Site admins can create, edit, and delete public cohorts. All users can view these cohorts and use in queries.

This ticket originally included a notion of "personal" cohorts, but this introduces complexity we don't need at this time that is hard to justify.