Support associating a serviceAccount user with a particular group

[lmsurpre]

Since the IBM FHIR Server defaults to using the group claim when mapping to security-role, requests from a serviceAccount (like in the newly introduced SMART Backend Services config) must belong to a group in order to be consider authorized.

Tasks for making this easier to implement

1. support configuration of group membership for service accounts
2. update the smart-backend-services sample config to ensure the infernoBulk client's service account (service-account-infernoBulk) is associated with the fhirUser group

Here's what those steps look like from the UI:

[lmsurpre]

for "normal" users, keycloak supports the notion of a "default group" and we use that to ensure all users will get the group membership by default. what would be nice is if there were a similar concept for service account users...otherwise we're stuck either:
A. registering all clients via keycloak-config; or
B. documenting how to manually add the service accounts to the fhirUser group