1. Create a new set of static (as in, not to be changed by the users) roles:
system admin - full access to all resources (regardless of tenants)
tenant admin - full access to all resources (in specific tenants)
default - the default mode. Full access to resources in this user's tenant
viewer - can only view resources (in this user's tenant); can't create or delete resources.
suspended - can't view or create/delete resources. Can be used to block access for users (especially if they come from LDAP) without being forced to delete the user
2. Each new user is assigned the `default` role. In order to change, a new `cfy` command will be created.
Reviewed by Omer