Prevent last Group Managed Account owner with access from accidental unlinking

What

Disables unlink SSO button on profile for the last owner able to administer a Group Managed Account.

Helps ensure that at least one owner is either managed by the group or has SAML linked.

Why

The last_owner? check on the group will prevent their membership from being removed, but would not prevent SAML being unlinked.

In this state the owner would be unable to access the group due to SSO Enforcement.

Attempting to reconnect SAML in that situation results in being asked to create a new Group Managed Account, resulting in a situation where no owner is able to access the account.

Screenshots

Before	After

Acceptance criteria

• Changelog entry
• Documentation (if required)
• Database guides
• Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

• Label as security and @ mention @gitlab-com/gl-security/appsec
• The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
• Security reports checked/validated by a reviewer from the AppSec team