Teleport should auto-lock accounts during common actions (for example account delete)

[jentfoo]

Whenever an account or session must be immediately denied, our locking functionality must be used: https://goteleport.com/docs/access-controls/guides/locking/

This is not always intuitive, and customers may be unaware that this is required when an account is deleted or roles are changed. We should consider auto-adding locks where it is reasonable and easy to do so. For example:

• When an account is deleted we should lock the account (or all sessions) to ensure that access is immediately revoked
• When password or MFA changes are applied, we should offer to the user to lock existing sessions
• When a users role changes are modified by an administrator, we should offer to lock existing sessions

Raised in part from this issue: https://github.com/gravitational/security-findings/issues/73

[zmb3]

This has come up several times before for access requests, and we have decided not to do it.

• https://github.com/gravitational/teleport/issues/10018
• https://github.com/gravitational/teleport/issues/15356
• https://github.com/gravitational/teleport/issues/28549

Whatever we do, it should probably be consistent. I would not expect this behavior to differ for users and access requests.

[jentfoo]

This seems to be a frequent source of confusion, so I think we should continue to consider this