Federated access and LakeFormation tag-based access best practice

Hi, We are working on the project where ActiveDirectory users get a federated access to the AWS. I would like to ask about the best practices for how to set up federation and the Tag based access control for users that they can benefit from the flexible permissions. The scenario is: In AD we have users in the group Sales. They get federated access and mapped to the AWS role AWSReservedSSO_AWSSales etc. We give corresponding permissions to this role to the LF tag sales. Then one of the AD users needs to access Marketing domain and he gets added to the new AD group. In AWS he is still federated as the Sales role and so he can't see the data tagged as marketing. What are the options rather than creating a new AWS Role and map that user to the new AWS role which will have a new tag added (..._AWSSalesMarketing) role)