Allow different tenants than the owner to manage records in a domain (zone)

Tenant A owns a domain "dev.example.com" and it wants users who are part of dev organization to be able to manage their own records within the domain (zone). For example, tenant B creates records within the domain. Tenant B should be able to manage only records owned by tenant B though the domain could be owned by tenant A. Of course, tenant A has full control over all the records within the domain it owns. This will have impact on API access, Database etc

It will be possible to limit user access to records and domain based on permissions and filters. The permissions will be - read only, manage records, and manage zones. Each of these permissions can also have filters to provider even more granular access. The ability to limit which zones, record types, and data a user can read or manage will be possible with the filters. A user will be placed in a role which will define the permissions and filters they have.