There are probably many ways of doing this, but I’ve used the following method which uses tags for tenancy and RBAC separation. The downside to this method is the overhead of tagging everything, but this can be automated to some extent.
I use 2 tag categories - ‘Visibility’ to determine what a group or tenant can see, and ‘Owner’ to determine who owns what. Visibility has a Single Value of ‘No’ as you probably want to assign this multiple times to various objects, and ‘Owner’ has a Single Value of ‘Yes’ as you probably only want an object like a VM to be owned by one group or person. You create a tag in each category for each tenant or group (depending how granular you want to make the RBAC).
Now you create your tenant groups. I normally create an admin-level equivalent with a role similar to EvmRole-administrator (probably edit this down slightly), and a user-level equivalent with a role similar to EvmRole-user. It’s often easiest to create custom roles based on the out-of-the-box ones to fine-tune what each group can see.
When you create the groups, add them to the appropriate tenant, and then use the ‘Assign Filters’ section to determine what each group can see. Select User is limited to specific tags, and pick Visibility as the category and your tenant or group name as the value.
Now the painful part - you need to find each infrastructure component and tag it accordingly. You probably want to tag some things like templates with all visibility tags, but other things like your resource pools and VMs with only the visibility tag of the intended tenant or group that will access it. The plus side is that tagging can be done from an automate script (and the API), so you can add the appropriate tags at the end of any workflow that creates things like VMs.
There’s a brief description of tenancy in the context of automate here, which shows the tenancy inherited object visibility rules (caveat: this was written for several versions ago, things might have changed).
Also this is a useful description of RBAC in ManageIQ.
Hope this helps.