Internal user group and special permissions

Needs rebase from !228 (merged)

Adds a "internal" user group whose users have their tokens restricted to internal access (localhost or Docker). All other users cannot be used for internal requests.