Hi,
After more investigation, it appears that the issue is with having the same role name in multiple tenants. (possibly related to the side effect seen in Multi Tenant page authentication drop down has multiple values)
This is another major multitenant limitation and makes role based authorization unscalable.
Suggestions for multitenancy features:
- Roles to be unique for tenant only but allow same name roles in other tenants.
- Username/emails for tenant only but allow same name Username/emails in other tenants.
- Apply tenant isolation in the database context server side.
Currently it looks like I'm going to have to ignore roles and create my own authorization 
unless anyone has another idea (please)??