I'd use a webhook to provision/deprovision the grants.

https://fusionauth.io/docs/v1/tech/events-webhooks/events/user-registration-create-complete/ has the roles for the application, so in the webhook, you can call the FusionAuth grant API to create or revoke the grant.

For initial setup, run a script to get all the users that have a given role (using a user search query) and then grant them access to all the entities.

Think about what happens when a new piece of equipment is added. From what I gather, all users with the "viewer" role will need to be granted access to that equipment. You can take care that of within the 'new equipment added' script: provision the equipment, then add the grant to all users with the "viewer" role.

Depending on when you are going to check the grant and the number of users and pieces of equipment, this may be a good thing to use a queue like SQS for, to add/revoke/update grants asynchronously.