you'll need to redefine the

object_type

per tenant to avoid having a user match by having the permission boundary in a different tenant but the direct access level in the document's tenant