Let's do this in conjunction with #5002. Only a User Admin and above should see the lists of users and groups. Users should see what groups they are in from the "Accounts" dropdown. This also means User Admins should be the only ones who can configure what users/groups can access or modify templates.

In the Users list, add a row with the user's login type. @Emyrk explained that it may not be great to allow admins to convert between accounts since there may be an email mismatch. However, I don't think there are security risks (just an inconvenience) since the user would own both emails. To fix, the admin would need to convert back to OIDC to built-in and allow the user to authenticate them myself. Perhaps I am misunderstanding though? I guess the security risk would be the admin set the wrong email for the built-in account which is not owned by the user. I think this is still acceptable unless there is evidence of this being handled differently in other enterprise products.

We don't need this before we allow users to switch to OIDC themselves but is a good follow-up and was requested by a major customer.