In the REST API, the method and URL to delete a tenant is:
The side effect of this URL scheme is that when a tenant with the name users or user-groups is created, then it cannot be deleted because any attempt to remove it is interpreted as a request to remove a user/user group from a tenant.
In a similar fashion, the the method and URL to delete a tenant is:
while the method and URL to remove a user from a user group is:
in this case, if a user group is named users it becomes impossible to remove it later since an attempt to do so is interpreted as a request to remove a user from a user group.
Given that the URL mapping cannot be changed without creating a new major version of the API, I believe that the tenant/user group names that can cause problems shouldn't be allowed when trying to create them in the first place.
Quick way to reproduce the problem: