Allow limited admins to assign the "api-umbrella-key-creator" role.

18F/api.data.gov#157

app/policies/api_user_role_policy.rb

@@ -3,6 +3,8 @@ def show?
     allowed = false
     if(user.superuser?)
       allowed = true
+    elsif(record == "api-umbrella-key-creator")
+      allowed = true
     elsif(record.start_with?("api-umbrella"))
       allowed = false
     else

spec/controllers/api/v1/users_controller_spec.rb

@@ -163,7 +163,24 @@
       end.to_not change { ApiUser.count }
     end
 
-    it "forbids limited admins from assigning a new role beginning with 'api-umbrella'" do
+    it "allows limited admins to assign the 'api-umbrella-key-creator' role" do
+      admin_token_auth(@google_admin)
+      attributes = FactoryGirl.attributes_for(:api_user, {
+        :roles => [
+          "api-umbrella-key-creator",
+        ],
+      })
+
+      expect do
+        send(method, action, params.merge(:user => attributes))
+        response.status.should eql(success_response_status)
+        data = MultiJson.load(response.body)
+        user = ApiUser.find(data["user"]["id"])
+        user.roles.should eql(attributes[:roles])
+      end.to change { ApiUser.count }.by(success_record_change_count)
+    end
+
+    it "forbids limited admins from assigning other new roles beginning with 'api-umbrella'" do
       admin_token_auth(@google_admin)
       attributes = FactoryGirl.attributes_for(:api_user, {
         :roles => [
@@ -179,7 +196,7 @@
       end.to_not change { ApiUser.count }
     end
 
-    it "allows superuser admins to assign a new role beginning with 'api-umbrella'" do
+    it "allows superuser admins to assign other new roles beginning with 'api-umbrella'" do
       admin_token_auth(@admin)
       attributes = FactoryGirl.attributes_for(:api_user, {
         :roles => [