Tenants are Orgs, therefore they can be used now indirectly by using them as a form of delegated administration. However, it is currently difficult to set up a single role that allows user to access only objects within the same tenant. A separate role for each tenant is needed.
This feature would add the concept of current tenant to the authorization system. Therefore it will be possible to express authorizations such as "read all roles but only if they are in the same tenant as currently logged-in user". E.g. to support self-service, delegated administrator can manage users in his organization (tenant).