Hey, thanks for the deep answer.
Sadly I already took a look at workspace hierarchy for another reason, and while we may end up using it at some point, it can't be used for this particular thing:
I'll try to sum it up succinctly:
• in our App, we have "tenants" (ie: our customers), each with multiple users
• each tenant can manage its own users (ie: create, delete, etc)
• each user may have access to a set of "clusters" within the tenant (0-N)
• for data security, we do have one GD user per tenant so they can't access other tenants data, but we do not want to replicate our whole user base in GD for various reasons, one of them being simplicity and avoiding having multiple source of truth since we would have to replicate user accesses into GD each time they're updated in our system by a end-user
• initially we wanted to have one workspace per tenant for the same reason, we took a little look at workspace hierarchy, but due to the 0-N relations between users and clusters, it meant we needed one main workspace for the tenant then one workspace per clusters set combination (it can be anything from 10 users, each with their own clusters, to a user having 3 clusters, 2 of them being shared with another user)
• due to how translations were initially handled in GD and our lack of experience with GD overall, we had to finally create one workspace per tenant per locale back then, meaning we currently handle "X tenants * Y supported locale" workspaces
• now if we where to mix that with workspace hierarchy to handle cluster accesses, it would end in a literal combinatorial explosion
• which leads to our current point: we do have a column for the clusters in our data, and that's why we're trying to use the filter that way