How many tenants do you expect to have?
Temporal provides pluggable Authorizer and ClaimMapper components with defaults based on JWT.
See more info in this post. With this you could set up specific rules based on user roles and namespaces you provide to your tenants.