Hierarchical access scoping

Scope

This document explains how hierarchical access scoping works within an organization using Organizational Units (Org Units).

Hierarchical access scoping defines where administrative authority and policy scope apply, based on the organization’s structural hierarchy.

I am new. Where should I start?

If you are new to hierarchical access scoping:

  • Think of the organization as a tree structure

  • Authority flows from parent Org Units to child Org Units

  • Administrators only manage the scope they are assigned to

This model helps large organizations control access without granting global permissions.

Purpose

Hierarchical access scoping enables organizations to:

  • Limit administrative actions to specific organizational areas

  • Apply security policies consistently through inheritance

  • Prevent over-privileged administrative access

  • Align system access with real-world organizational boundaries

Core Concepts

Organizational Hierarchy

The organization is structured as:

Organization (Root)Org Unit (Parent)Org Unit (Child)Workspace

Each level represents a scope boundary.

Access Scope

Access scope defines:

  • Which users an administrator can manage

  • Which Org Units an administrator can view or modify

  • Where policies can be applied or overridden

Administrators cannot act outside their assigned scope.

When should hierarchical access scoping be used?

Hierarchical access scoping is recommended when:

  • The organization has multiple departments or business units

  • Administrative responsibilities must be segmented

  • Different security policies apply to different groups

  • You want to avoid global admin privileges

Prerequisites

Before using hierarchical access scoping:

  • Organizational Units must be defined

  • Administrative roles must support scoped permissions

  • Policy inheritance rules must be understood

I already understand. How do I proceed step by step?

1. Define the Organizational Hierarchy

  • Create Org Units that reflect your organization’s structure

  • Establish clear parent–child relationships

  • Keep the hierarchy as simple as possible

2. Assign Administrative Scope

  • Assign administrators to a specific Org Unit

  • Define their role within that scope

  • Ensure they only see and manage resources within their assigned Org Unit and its children

3. Apply Policies at the Appropriate Level

  • Apply global policies at the root Org Unit

  • Apply more restrictive policies at child Org Units if needed

  • Allow policy inheritance unless explicitly overridden

4. Manage Users Within Scope

Administrators can:

  • View and manage users within their Org Unit scope

  • Assign users to child Org Units

  • Enforce policies relevant to their scope

They cannot manage users outside their scope.

5. Validate Scope Enforcement

  • Test admin access at each Org Unit level

  • Verify visibility and permissions

  • Confirm that cross-scope access is blocked

Policy Inheritance Rules

  • Policies applied at a parent Org Unit are inherited by child Org Units

  • Child Org Units may override certain policies if allowed

  • Overrides never affect parent Org Units

Common Examples

Example 1: Department-Level Administration

  • Org Unit: Engineering

  • Admin Scope: Engineering

  • Access: Engineering + all sub-teams

  • No access to Finance or HR

Example 2: Regional Policy Control

  • Org Unit: APAC

  • Policy: Geo-based access restriction

  • Scope: Applies only to APAC users

PreviousWorkspacesNextSecurity & Governance

Last updated