Take the user's affiliation from the user info
We have recently revamped our authentication pipeline and may receive the an optional "(scoped) affiliation" claim via the authentication tokens. They tell us about the user's home organization and their role there.
The first part can be transformed into a value for the affiliation in the user's profile, and the latter can be used to determine the level of permissions to give out automatically. That still needs to be implemented though.