DELETE /users/{uid}/reporting-org/{oid} counts PROVIDER_ADMIN users in the last-user check

[simon-20]

Brief Description

DELETE /users/{uid}/reporting-org/{oid} uses get_user_associations_for_org(org_id) when checking whether the target user is the last remaining user for the organisation.

That provider method returns both:

• direct reporting-org role associations
• tool-derived PROVIDER_ADMIN associations

Because of that, a tool PROVIDER_ADMIN can be counted as an org "user" for the delete safety check.

This can allow deletion of the last remaining direct reporting-org user, leaving the org with only provider-admin/tool associations.

Current Code

src/register_your_data_api/routers/users.py

• user_roles_for_org = context.fine_grained_auth_provider.get_user_roles_for_org(user_id, org_id)
• users_in_org = context.fine_grained_auth_provider.get_user_associations_for_org(org_id)

src/register_your_data_api/auth/fga/fga_provider_db.py

• get_user_associations_for_org() includes PROVIDER_ADMIN associations from tool access

Expected Behaviour

The "last user in the organisation" check for DELETE /users/{uid}/reporting-org/{oid} should only consider direct reporting-org role holders, not tool-derived PROVIDER_ADMIN associations.