fix: scim v2 endpoints enforce user resource owner (#9273)

# Which Problems Are Solved
- If a SCIM endpoint is called with an orgID in the URL that is not the
resource owner, no error is returned, and the action is executed.

# How the Problems Are Solved
- The orgID provided in the SCIM URL path must match the resource owner
of the target user. Otherwise, an error will be returned.

# Additional Context

Part of https://github.com/zitadel/zitadel/issues/8140

internal/api/scim/integration_test/users_update_test.go

@@ -10,7 +10,6 @@ import (
 	"testing"
 	"time"
 
-	"github.com/brianvoe/gofakeit/v6"
 	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -28,7 +27,7 @@ var (
 	//go:embed testdata/users_update_test_full.json
 	fullUserUpdateJson []byte
 
-	minimalUserUpdateJson = simpleReplacePatchBody("nickname", "foo")
+	minimalUserUpdateJson = simpleReplacePatchBody("nickname", "\"foo\"")
 )
 
 func init() {
@@ -44,9 +43,6 @@ func TestUpdateUser(t *testing.T) {
 		require.NoError(t, err)
 	}()
 
-	iamOwnerCtx := Instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
-	secondaryOrg := Instance.CreateOrganization(iamOwnerCtx, gofakeit.Name(), gofakeit.Email())
-
 	tests := []struct {
 		name          string
 		body          []byte
@@ -74,7 +70,15 @@ func TestUpdateUser(t *testing.T) {
 		},
 		{
 			name:        "other org",
-			orgID:       secondaryOrg.OrganizationId,
+			orgID:       SecondaryOrganization.OrganizationId,
+			body:        minimalUserUpdateJson,
+			wantErr:     true,
+			errorStatus: http.StatusNotFound,
+		},
+		{
+			name:        "other org with permissions",
+			ctx:         Instance.WithAuthorization(CTX, integration.UserTypeIAMOwner),
+			orgID:       SecondaryOrganization.OrganizationId,
 			body:        minimalUserUpdateJson,
 			wantErr:     true,
 			errorStatus: http.StatusNotFound,