This is a temporary fix, the real fix would be to create a real permission to
manage members of a roles so that role's admin roles would not have the admin
permission but the manage-members permission, so that for an user which can just
manager members of a role, request.user.has_any_perm('a2_rbac.add_role') would
return False, currently it returns True but it has no meaning.
- hide the OU column
- select the first OU (it also improves the case of OU administrators)
- set the OU selector to readonly and disabled
- remove OU selectors from search forms