Allow admin user to only see users of it's own tenancy

I am playing around with multi tenancy within the webapps. What I like to achieve is to create an user which can perform create/list/update/delete on other users but for only users in its tenancy. I am not entirely sure how to go about configuring this. It seems that when an user of tenant XYZ creates an user that user is not automatically placed in the same tenancy. Is this possible (creating an ‘admin’ user which manages only users in its tenancy) ?

Perhaps this can also be phrased: How does one specify that a certain user has crud functionality on a group rather than specifying user by user.

Any help would be appreciated.