Access control documentation: Create group and project

Contains short documentation on the 'Create group' and 'Create
project' capabilities with links back from the command pages.

Also includes a formatting fix in the 'Create account' capability.

Change-Id: Iff883cbbbd4368703d5372012c205e72083f4248
Signed-off-by: Fredrik Luthander <fredrik.luthander@sonymobile.com>

Documentation/access-control.txt

@@ -833,10 +833,6 @@ much of the server administration burden out to more users.
 Below you find a list of capabilities available:
 
 
-* Create Group
-
-* Create Project
-
 * Flush Caches
 
 * Kill Task
@@ -866,13 +862,31 @@ capabilities granted to them automatically.
 Create Account
 ~~~~~~~~~~~~~~
 
-Allow link:cmd-create-account.html['account creation over the ssh prompt'].
+Allow link:cmd-create-account.html[account creation over the ssh prompt].
 This capability allows the granted group members to create non-interactive
 service accounts.  These service accounts are generally used for automation
 and made to be members of the
 link:access-control.html#non-interactive_users['Non-Interactive users'] group.
 
 
+[[capability_createGroup]]
+Create Group
+~~~~~~~~~~~~
+
+Allow group creation.  Groups are used to grant users access to different
+actions in projects.  This capability allows the granted group members to
+either link:cmd-create-group.html[create new groups via ssh] or via the web UI.
+
+
+[[capability_createProject]]
+Create Project
+~~~~~~~~~~~~~~
+
+Allow project creation.  This capability allows the granted group to
+either link:cmd-create-project.html[create new git projects via ssh]
+or via the web UI.
+
+
 [[capability_queryLimit]]
 Query Limit
 ~~~~~~~~~~~

Documentation/cmd-create-account.txt

@@ -28,7 +28,8 @@ created in Gerrit that do not exist in the underlying LDAP directory.
 ACCESS
 ------
 Caller must be a member of the privileged 'Administrators' group,
-or have been granted the 'Create Account' global capability.
+or have been granted
+link:access-control.html#capability_createAccount[the 'Create Account' global capability].
 
 SCRIPTING
 ---------

Documentation/cmd-create-group.txt

@@ -28,7 +28,8 @@ becomes a member of the newly created group.
 ACCESS
 ------
 Caller must be a member of the privileged 'Administrators' group,
-or have been granted the 'Create Group' global capability.
+or have been granted
+link:access-control.html#capability_createGroup[the 'Create Group' global capability].
 
 SCRIPTING
 ---------

Documentation/cmd-create-project.txt

@@ -39,7 +39,8 @@ on the remote system to create the empty repository.
 ACCESS
 ------
 Caller must be a member of the privileged 'Administrators' group,
-or have been granted the 'Create Project' global capability.
+or have been granted
+link:access-control.html#capability_createProject[the 'Create Project' global capability].
 
 SCRIPTING
 ---------