Add group-specific validations

If validation rules contain information that shouldn't be public,
administrators can currently limit enforcement only based on email and
skipGroup. That may not be sufficient, especially if the same email
domain is used between those two groups.

This CL allows administrators to enforce validation only on users that
belong to one of specificed groups.

Bug: Issue 14359
Change-Id: I2e31a880c70338dcea93a5d44b030f2d9a539149