Log audit events when users receive Minimum Access role due to seat unavailability
**Note: this might be done post GA**
### Problem
No audit trail exists when users are automatically assigned Minimum Access (MA) role due to seat limits, when Restricted Access is enabled, so that:
- Compliance and security teams cannot track why users have certain access levels
- It's difficult to investigate historical provisioning issues
- There's no visibility for retrospective analysis of seat utilization patterns
### Proposed Solution
Create audit log entries when users are provisioned via protocol and assigned MA role due to seat limits.
Log should capture:
- User identifier (email/username)
- Provisioning method (SCIM/SAML/LDAP)
- Timestamp
- Reason: "Assigned MA due to seat limit with RA enabled"
- Namespace/group
Make searchable/filterable in audit logs.
#### Acceptance criteria:
- Audit events created consistently
- Searchable by reason/type
- Available in standard audit log exports
issue