I run a multi-tenant SaaS whose backend is FastAPI (Python) and whose front-end services are written in TypeScript. Authentication is already live through AWS Cognito, and every tenant operates on its own isolated MySQL database. What I now need is a centrally managed Role-Based Access Control layer that cleanly slots into this existing stack. Three roles must be recognised—Admin, Editor and Viewer—but they all share the same data scope; the only data restriction is that any signed-in user must see only the records that belong to them inside their tenant’s schema or view. Key objectives • Design or extend the permission model so that the roles are stored and validated centrally, ideally piggy-backing on Cognito groups or tokens. • Wire the FastAPI endpoints so that row-level filters (or equivalent MySQL views) guarantee users cannot query, update or delete data outside their own tenant or personal scope. • Touch the TypeScript layer only where necessary to surface role information and gracefully handle 403 responses. • Provide concise docs and a test plan I can run locally (pytest or similar) to prove the enforcement works across all three roles. If you have practical experience with AWS Cognito, FastAPI dependency injection, MySQL row-level security or similar patterns, this should be straightforward—we can iterate quickly on GitHub.