Split into separate, fine grained permissions

This assertion is flaky when ran against MySQL

Previously, Vulnerabilities API would return all however it should only
return non-dismissed by default. This behavior can be changed with
`scope=all`

This spec was failing because it assumed that the order returned
by the API would be the same from run to run. Fix this by
requesting enough per page so that we retrieve all possible
vulnerabilities.

Closes https://gitlab.com/gitlab-org/gitlab-ee/issues/11411

Adds API endpoint for returning all vulnerabilities for a given project