I doubt the behaviour you indicate here. sonar-users really is a special built-in group. So even if LDAP Group Mapping is effective, any logged-in user will still virtually belong to sonar-users (even though sonar-users is not defined in LDAP). Just verified this on 6.7.x LTS and 7.2,
sonar-users shows up under My Account after logging-in.
Why can’t you prevent that ? SonarQube admins have full control over permissions given to Anyone, and it would definitely make sense that Anyone is not allowed to run an analysis.
This doesn’t seem like a strong enough reason on the long term. Can pose security concerns, and also demeans any traceability of what’s going on.
I would suggest to not allow anyone by default, and let project admins override this at their own risk.