@gjermund welcome to the FusionAuth community!

Interesting problem. You might be able to model this with Groups and Applications. I'm not quite sure how it relates to multi tenant; tenants are really about separating user accounts and configuration so that users in one tenant won't be aware at all of user accounts in other tenants, even if they have the same email address.

One thing to note is that roles are never assigned in FusionAuth if a user isn't registered to an application. Let's assume you have two orgs (org1, org2) and two facilities (fac1, fac2).

So, let's say you have an application AppA (you can have more, you'd just need to replicate all the roles for each application, so I'd script their creation using the API).

AppA roles: org1admin org1manager org1member org2admin org2manager org2member fac1manager fac1member fac1auditor fac2manager fac2member fac2auditor

Now, let's assume there are two users. Alice and Bob. Alice is a a admin in org1 and a member in org 2, as well as an auditor in fac1. Bob is just a member in org2. Both are registered for AppA (remember, roles are dependent on applications and a user being registered for an application!)

If I created a group for each role:

org1adminGroup org1managerGroup org1memberGroup org2adminGroup org2managerGroup org2memberGroup fac1managerGroup fac1memberGroup fac1auditorGroup fac2managerGroup fac2memberGroup fac2auditorGroup

I can add users to one or more groups and they will pick up the roles. The roles will be available in both the JWT generated on login and the user object retrieved by the User API.

So I'd add Bob to the org2memberGroup only. If Bob isn't registered for AppA, he doesn't pick up any roles, no matter what groups he is in.

And I'd add Alice to the following groups:

org1adminGroup org2memberGroup fac1auditorGroup