There’s a brief description of tenancy with regard to automate here, but it may be a useful general overview.
The thing to keep in mind is that groups are members of tenants, and users are members of groups. A user therefore becomes part of a tenant through that user’s group membership.
Groups have roles, but roles are not tenant-specific so for example several groups in different tenants can share the same role.
As a matter of course I normally clone the standard roles such as EvmRole-user or EvmRole-administrator to my own roles such as MyOrg_Role-user, which means I can fine-tune the product features that groups with that role can see.
Hope this helps,