When using tags for RBAC, I usually create two tag categories, visibility and owner. Both categories contain the same tags (usually the department or group names) but the multi-value visibility tag is used to determine who can see what - templates, service catalog items, VMs, hosts, datastores etc - and the single value owner tag is used to indicate which objects are owned by whom, which is useful for accounting, chargeback, quotas etc. Objects are generally owned by a single group, hence the single value tag category. The visibility tag can also be used for VM provisioning placement instead of the prov_scope tag if you wish.
So in your example I’d tag the service catalog item with visibility/tribe_1, visibility/tribe_2 & visibility/tribe_master so that everyone could see it. Your AP_CLD_Tribe1* groups would have an assigned filters tag of visibility/tribe_1, and any services created by a group member would be tagged with both visibility/tribe_1 and owner/tribe_1 to indicate ownership, and to allow group members to see it. You could also tag the new service with visibility/tribe_master if you want your “master” admins to see it.
Tagging items in this way also makes it easy to sanity check who should be able to see it, by just looking at the list of visibility tags.
Hope this helps,