@gjermund welcome to the FusionAuth community!
Interesting problem. You might be able to model this with Groups and Applications. I'm not quite sure how it relates to multi tenant; tenants are really about separating user accounts and configuration so that users in one tenant won't be aware at all of user accounts in other tenants, even if they have the same email address.
One thing to note is that roles are never assigned in FusionAuth if a user isn't registered to an application. Let's assume you have two orgs (org1, org2) and two facilities (fac1, fac2).
So, let's say you have an application AppA (you can have more, you'd just need to replicate all the roles for each application, so I'd script their creation using the API).
AppA roles:
org1admin
org1manager
org1member
org2admin
org2manager
org2member
fac1manager
fac1member
fac1auditor
fac2manager
fac2member
fac2auditor
Now, let's assume there are two users. Alice and Bob. Alice is a a admin in org1 and a member in org 2, as well as an auditor in fac1. Bob is just a member in org2. Both are registered for AppA (remember, roles are dependent on applications and a user being registered for an application!)
If I created a group for each role:
org1adminGroup
org1managerGroup
org1memberGroup
org2adminGroup
org2managerGroup
org2memberGroup
fac1managerGroup
fac1memberGroup
fac1auditorGroup
fac2managerGroup
fac2memberGroup
fac2auditorGroup
I can add users to one or more groups and they will pick up the roles. The roles will be available in both the JWT generated on login and the user object retrieved by the User API.
So I'd add Bob to the org2memberGroup only. If Bob isn't registered for AppA, he doesn't pick up any roles, no matter what groups he is in.
And I'd add Alice to the following groups:
org1adminGroup
org2memberGroup
fac1auditorGroup