Multitenant app with team-owned resources

We’re developing a multi-tenant SaaS application, and we’re having a bit of trouble designing the RBAC.

Basically, we have this:

A user is attached to a tenant. It cannot belong to multiple tenants.
A tenant has N teams. The tenant owners can create new teams.
A team has resources. Several roles in a team give you access to restricted parts of the team. For example, a Viewer can read resources, and an Editor can update and add resources.
A user can have N roles inside a team.

We’d love to put all these information in Auth0, but we’re struggling with the “roles per team” part. How could we set that up?

We want to keep only one Auth0 tenant, with a single client and a single database.