Organization Based Permissions Filtering

I'm configuring a satellite for use on at a university. I want to create a separate organization for each college in the university. Kicker is I need to keep orgs from changing each others stuff. What I want to do is create a role that contains the thing an org admin would need to do (create host collections, activation keys, etc) but limit these changes to items owned by the org the user is a member of.

In other words, have an Org Admin role that has create rights to nearly everything and a filter set to org = $UsersOrg.

It seems that right now all I can do is create a specific Org Admin role for each org on the satellite. That seems like it'll quickly get unmanageable.