Not sure if there needs to be full multi-tenancy in play, ie visibility permissions on Entities and Visualizations that users can/cannot see in their own or the other app.
If that is the case, you can always set up a 'General Visibility Org' to which you add the Users group and set sweeping Visibility with that, and then specific visibility with the User organizations.
For permissions you could go with the way you indicated, or you can set up App Permission Groups/Function Groups ie. a Group that has permission to a certain app, or a group that has permission to a certain functionality within one of the apps, this will allow you to then assign Users to any and all parts.
You can take that a step further by creating User Role groups if necessary.
ie. App1UserManagers are in Functional Groups App1ManageUsers, App1ManageAssets etc.
This might give you some added flexibility that may or may not come in handy in the future.
Not sure if you have a big concern about what 'home screen' users end up in, but you could direct them to a landing page that derives the home mashup based on the User's groups.