User sources for different sites

I want to achieve the following user access architecture:

  1. different user group dedicated for each site
  2. a core user group for accessing all sites

what's the best way to achieve this?

Thanks in Advance.

Is this for just one project, or a project at each site?
It also depends on what type of User Source you will use. E.g. Internal, Active Directory, etc.

Assuming a project at each site and Internal User Sources:
I would create two UserSources at each site, one primary with your dedicated users, and one for failing over to with your core users. To reduce the management of the core users you could make it a database user source and maintain a database table at each site with the same users, either through replication, or ETL etc.

One project for each site.
each site has its own user source using database type.
the core user source is also database type.
I tried to apply each project with its user source, and each user source configured to have fallover to the core user source.
But it won't work, for some reason, then I realized there's another layer called identity Provider. Then I got confused.
But I tried configure a idP for each site, and each idP is linked to the project user source, but it still does not work.

this solution works.

Just need to change the fallover mode from hard to soft.