The admin, or any role that includes this permission, can invite new users via the users' page. In this case, those users will have the permission the admin defined for that specific tenant.
The users will receive a tokenized link via email. If the user uses the token with a different email than the one invited, this other email will use the invitation and be granted the permissions.
In case the invitation token has not been used and the user signs in with an email that was invited (without using the tokenized link), the application will recognize it and allow the user to select if he wants to accept this invitation or create a new tenant.