permissions differentiate by roles, but the user belong one specific tenant if i want all the tenant user can one set of role. how to reach that. thanks.
That's not automatically possible and not appropriate to design. But you can surely enforce it by your application code and allow defiinig roles by a host user (when you add a role, copy all to all tenants and so on...). But tenant based roles are more dynamic, why don't you like it :)