Found a better way. (for Hybrid at least)
Create an Authentication Profile for each project. Cause, authentication is handled externally you don’t have to worry about keeping passwords in sync. And you would have to assign user to multiple roles anyway for those users that require it. This keeps things nice and simple.
(I know Robert, thats what you tried to tell me at first. Sometimes it takes awhile to sink in)