I use roles per tenant by storing a string like tenant:tenantId#owner. It works well, but I'd love to cleanup roles created when my DB (and thus the tenants) gets cleaned up. I guess something should look into the DB before cleaning it, find all tenants, remove all related roles from ST, then actually clean the DB. If any of you guys have a strategy for this, I'd love to hear it.