SSO with roles and permissions

We have projects that interacts with regular users (general app) and company users (companies app). Therefore, in our projects, generally, we have two types of Users:

  1. Regular - authenticates with phone_number as identifier. Regular users are any Users that can do common staff in our system.
  2. Staff - authenticates with email as identifier. Staff Users belong to some company and they have some roles.

So, we built SSO app, that keeps all users, because there are apps that need about any user and having separate app that handles users in one place was for us better choice.

However, there are troubles with our idea...

The company app has its SUPERUSER that can create some company, company branch and director of that company and etc. We create company-apps superuser in our SSO app and give it COMPANY APP SUPERUSER role.

SSO app does not hold the specific roles of company for users, we don't want it. That is the responsibility of company app. So, there is the problem when director of company wants to invite (create) employee, he/she requests company-app, which in the box calls SSO app endpoint to create user. Inside of SSO app we don't know who is requesting user creation, because we only know COMPANY-APP-SUPERUSER. Other roles are hided in company-app.

Questions:

  1. How can we separate company app's specific roles and users?
  2. Should we store roles and permissions of company app in SSO?

P.S. backend written in Django, Python 3.9, SSO based on JWT.