feat: Allow including Access Lists as nested members and owners

- Recursively check for accesslist membership

- Allow adding/removing/listing included access lists in acl commands

- Add a recursive test

- Use dynamic access lists structure from RFD

- Resolve proto changes

- Exclude 'list' members from Access List memberCount

- Calc Access List member count with members of type 'list' excluded,
  return seperately to front end

- Update examples/integrations

- Update crd docs

- Update tf docs

- Perform calculation of inherited roles/traits to AccessList service in
  order to utilize cache and minimize number of requests.

- Grant Okta integration RO for Access Lists

- Update AccessListMember-* events

- Include count for inherited grants

- Include MembershipKind of affected member(s)

- Emit inherited grants / members' MembershipKind for AccessListMember-*
  events

- Update notified owners for Access Requests

- Ensure dynamic owners are notified for Access Requests

- Ensure dynamic owners are notified via Slack integration

- Add `accesslistconv.{ToOwnerProto/FromOwnerProto}` for convenience

- Optionally pass an AbortSignal to `fetchAccessLists` in Web UI

chore: Consolidate common nested Access List funcs

- Move common nested-AccessList-related funcs to
  lib/accesslists/hierarchy

- Modify Grant inheritance so Members in lists added as Owners inherit
  Ownership and OwnerGrants, instead of just Ownership

- Update UserLoginStateGenerator to reflect this change in Grant
  inheritance, and to not store inherited grants on `state` object

- Don't check membership/ownership of AccessList while User is locked

- Replace usages of `services.IsAccessListOwner` with `Hierarchy`

- Replace usages of `services.IsAccessListOwner/IsAccessListMember` with
  equivelant funcs from `Hierarchy`

- Remove final references to AccessListMembershipChecker

- Don't allow ACL deletion when member/owner in other lists

- Guard Access List deletion behind membership/ownership checks for List

- Expose Hierarchy func to recursively get all members

- Tidy UserLoginStateGenerator logic involving ACL Membership/Ownership

api/client/accesslist/accesslist.go

@@ -23,6 +23,7 @@ import (
 	accesslistv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/accesslist/v1"
 	"github.com/gravitational/teleport/api/types/accesslist"
 	conv "github.com/gravitational/teleport/api/types/accesslist/convert/v1"
+	traitv1 "github.com/gravitational/teleport/api/types/trait/convert/v1"
 )
 
 // Client is an access list client that conforms to the following lib/services interfaces:
@@ -113,6 +114,21 @@ func (c *Client) GetAccessListsToReview(ctx context.Context) ([]*accesslist.Acce
 	return accessLists, nil
 }
 
+// GetInheritedGrants returns grants inherited by access list accessListID from parent access lists.
+func (c *Client) GetInheritedGrants(ctx context.Context, accessListID string) (*accesslist.Grants, error) {
+	resp, err := c.grpcClient.GetInheritedGrants(ctx, &accesslistv1.GetInheritedGrantsRequest{
+		AccessListId: accessListID,
+	})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	return &accesslist.Grants{
+		Roles:  resp.Grants.Roles,
+		Traits: traitv1.FromProto(resp.Grants.Traits),
+	}, nil
+}
+
 // UpsertAccessList creates or updates an access list resource.
 func (c *Client) UpsertAccessList(ctx context.Context, accessList *accesslist.AccessList) (*accesslist.AccessList, error) {
 	resp, err := c.grpcClient.UpsertAccessList(ctx, &accesslistv1.UpsertAccessListRequest{
@@ -151,15 +167,15 @@ func (c *Client) DeleteAllAccessLists(ctx context.Context) error {
 }
 
 // CountAccessListMembers will count all access list members.
-func (c *Client) CountAccessListMembers(ctx context.Context, accessListName string) (uint32, error) {
+func (c *Client) CountAccessListMembers(ctx context.Context, accessListName string) (users uint32, lists uint32, err error) {
 	resp, err := c.grpcClient.CountAccessListMembers(ctx, &accesslistv1.CountAccessListMembersRequest{
 		AccessListName: accessListName,
 	})
 	if err != nil {
-		return 0, trace.Wrap(err)
+		return 0, 0, trace.Wrap(err)
 	}
 
-	return resp.Count, nil
+	return resp.Count, resp.ListCount, nil
 }
 
 // ListAccessListMembers returns a paginated list of all access list members for an access list.
@@ -221,6 +237,26 @@ func (c *Client) GetAccessListMember(ctx context.Context, accessList string, mem
 	return member, trace.Wrap(err)
 }
 
+// GetAccessListOwners returns a list of all owners in an Access List, including those inherited from nested Access Lists.
+//
+// Returned Owners are not validated for ownership requirements – use `IsAccessListOwner` for validation.
+func (c *Client) GetAccessListOwners(ctx context.Context, accessListName string) ([]*accesslist.Owner, error) {
+	resp, err := c.grpcClient.GetAccessListOwners(ctx, &accesslistv1.GetAccessListOwnersRequest{
+		AccessList: accessListName,
+	})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	owners := make([]*accesslist.Owner, 0, len(resp.Owners))
+	for _, owner := range resp.Owners {
+		ownerProto := conv.FromOwnerProto(owner)
+		owners = append(owners, &ownerProto)
+	}
+
+	return owners, nil
+}
+
 // UpsertAccessListMember creates or updates an access list member resource.
 func (c *Client) UpsertAccessListMember(ctx context.Context, member *accesslist.AccessListMember) (*accesslist.AccessListMember, error) {
 	resp, err := c.grpcClient.UpsertAccessListMember(ctx, &accesslistv1.UpsertAccessListMemberRequest{