# HRBAC in Practice When you assign a user to an organization in AccessIQ, you decide how much of the org tree they can see. The single most important setting is the **"Inherit to child organizations"** checkbox. If it's checked, the user can see their assigned org and everything below it. If it's unchecked, they see only that one org — nothing above, nothing below. This page walks through exactly what that means for every entity type: customer accounts, applications, feature flag projects, and feature flag overrides. Every example uses the same org tree and the same user so you can compare side by side. *** ## The Organization Tree All examples in this guide use the following hospital structure: ``` Endeavor Health ├── Pediatric GI │ ├── Nurse Team │ └── Front Office Team ├── Sleep Therapy │ ├── Sleep Therapy Nurse Team │ └── Sleep Therapy Front Office Team ``` **Endeavor Health** is the top-level org. It has two departments — **Pediatric GI** and **Sleep Therapy** — each with their own sub-teams. *** ## The Key Setting: "Inherit to Child Organizations" To assign a user to an org, go to **Org Hierarchy > select an org > Members > Add User**. When you add the user and pick their role, you'll see a checkbox labeled **"Inherit to child organizations"**. This checkbox is on the **user's role assignment to the org**. It is NOT a setting on accounts, applications, or other entities. It controls how much of the org tree the user can see from their assigned org. * **Checked** — the user can reach the assigned org and every org below it in the tree. * **Unchecked** — the user can reach only the single org they were assigned to. ### Meet Nurse Manager Kim Kim is assigned the **Manager** role at **Pediatric GI**. Here's what changes depending on that one checkbox: | Inherit to children? | Orgs Kim can reach | | -------------------- | ------------------------------------------- | | **Yes** | Pediatric GI, Nurse Team, Front Office Team | | **No** | Pediatric GI only | In both cases, Kim **cannot** see Endeavor Health, Sleep Therapy, or any of Sleep Therapy's sub-teams. She sees down from her assigned org, never up or sideways. *** ## What Kim Sees: Customer Accounts Suppose your tenant has these customer accounts, each assigned to a specific org: | Account | Assigned Org | | ------------ | ----------------- | | Marcus Bell | Pediatric GI | | Lena Torres | Nurse Team | | James Okafor | Front Office Team | | Priya Desai | Sleep Therapy | | Robert Kim | Endeavor Health | ### With "Inherit to child organizations" checked | Account | Visible to Kim? | Why | | ------------ | --------------- | ----------------------------------------------------------- | | Marcus Bell | Yes | Assigned to Pediatric GI — Kim's own org | | Lena Torres | Yes | Assigned to Nurse Team — a child of Kim's org | | James Okafor | Yes | Assigned to Front Office Team — a child of Kim's org | | Priya Desai | No | Assigned to Sleep Therapy — a sibling branch, not below Kim | | Robert Kim | No | Assigned to Endeavor Health — above Kim in the tree | ### Without "Inherit to child organizations" checked | Account | Visible to Kim? | Why | | ------------ | --------------- | ---------------------------------------------------------- | | Marcus Bell | Yes | Assigned to Pediatric GI — Kim's own org | | Lena Torres | No | Assigned to Nurse Team — Kim can't reach child orgs | | James Okafor | No | Assigned to Front Office Team — Kim can't reach child orgs | | Priya Desai | No | Assigned to Sleep Therapy — different branch | | Robert Kim | No | Assigned to Endeavor Health — above Kim | > **Key point:** Accounts don't have their own inheritance setting. Visibility depends entirely on which orgs Kim can reach based on her assignment. *** ## What Kim Sees: Applications Suppose these applications are each assigned to an org: | Application | Assigned Org | | ---------------- | ----------------- | | Patient Portal | Endeavor Health | | GI Intake Forms | Pediatric GI | | Nurse Scheduling | Nurse Team | | Front Desk Kiosk | Front Office Team | | Sleep Study App | Sleep Therapy | ### With "Inherit to child organizations" checked | Application | Visible to Kim? | Why | | ---------------- | --------------- | ---------------------------------------------------- | | Patient Portal | No | Assigned to Endeavor Health — above Kim | | GI Intake Forms | Yes | Assigned to Pediatric GI — Kim's own org | | Nurse Scheduling | Yes | Assigned to Nurse Team — a child of Kim's org | | Front Desk Kiosk | Yes | Assigned to Front Office Team — a child of Kim's org | | Sleep Study App | No | Assigned to Sleep Therapy — different branch | ### Without "Inherit to child organizations" checked | Application | Visible to Kim? | Why | | ---------------- | --------------- | ---------------------------------------------------------- | | Patient Portal | No | Assigned to Endeavor Health — above Kim | | GI Intake Forms | Yes | Assigned to Pediatric GI — Kim's own org | | Nurse Scheduling | No | Assigned to Nurse Team — Kim can't reach child orgs | | Front Desk Kiosk | No | Assigned to Front Office Team — Kim can't reach child orgs | | Sleep Study App | No | Assigned to Sleep Therapy — different branch | > **Key point:** The same rule as accounts. The application must be assigned to an org Kim can reach. There is no separate inheritance setting on the application itself. *** ## What Kim Sees: Feature Flag Projects Feature flag projects can be linked to a specific org or left unlinked (tenant-wide). Suppose you have: | Project | Linked Org | | ------------------- | ---------------------- | | GI Clinical Trials | Pediatric GI | | Nurse Workflow Beta | Nurse Team | | Platform Rollouts | *(none — tenant-wide)* | ### With "Inherit to child organizations" checked | Project | Visible to Kim? | Why | | ------------------- | --------------- | ----------------------------------------------- | | GI Clinical Trials | Yes | Linked to Pediatric GI — Kim's own org | | Nurse Workflow Beta | Yes | Linked to Nurse Team — a child of Kim's org | | Platform Rollouts | Yes | No org link — visible to everyone in the tenant | ### Without "Inherit to child organizations" checked | Project | Visible to Kim? | Why | | ------------------- | --------------- | ------------------------------------------------- | | GI Clinical Trials | Yes | Linked to Pediatric GI — Kim's own org | | Nurse Workflow Beta | No | Linked to Nurse Team — Kim can't reach child orgs | | Platform Rollouts | Yes | No org link — visible to everyone in the tenant | > **Key point:** Org-linked projects follow the same reachability rule as accounts and apps. Projects with no org link are always visible to everyone. *** ## What Kim Sees: Feature Flag Overrides Feature flag overrides work differently from every other entity. When you create an override, there is a separate **"Inherit to children"** toggle on the override itself. When enabled, the override cascades down from its org to all sub-teams beneath it. Suppose these overrides exist: | Override | Flag | Org | Inherit to children? | Value | | ---------- | ------------- | --------------- | -------------------- | -------- | | Override A | dark-mode | Pediatric GI | Yes | Enabled | | Override B | beta-labs | Nurse Team | No | Disabled | | Override C | new-dashboard | Endeavor Health | Yes | Enabled | Here's what different users across the tree would see: | User | Their Org | Override A (dark-mode) | Override B (beta-labs) | Override C (new-dashboard) | | -------------- | ----------------- | --------------------------------------------- | ---------------------------------------- | ------------------------------------------------ | | Hospital Admin | Endeavor Health | No effect — override is set below them | No effect | **Enabled** — set at their org | | Kim | Pediatric GI | **Enabled** — set at her org | No effect — set on a child org, not hers | **Enabled** — cascades down from Endeavor Health | | Nurse Lead | Nurse Team | **Enabled** — cascades down from Pediatric GI | **Disabled** — set at their org | **Enabled** — cascades down from Endeavor Health | | Front Desk Rep | Front Office Team | **Enabled** — cascades down from Pediatric GI | No effect — Override B doesn't inherit | **Enabled** — cascades down from Endeavor Health | | Sleep Tech | Sleep Therapy | No effect — different branch | No effect — different branch | **Enabled** — cascades down from Endeavor Health | > **Key point:** Feature flag overrides are the one entity type where the entity itself has an "inherit to children" setting. When turned on, the override flows down to all sub-teams beneath the org where it was set. Everything else in AccessIQ depends only on which orgs the *user* can reach. *** ## Quick Reference | Entity Type | Visibility Rule | Has its own inheritance setting? | | -------------------------- | ---------------------------------------------------------------- | -------------------------------- | | **Accounts** | Must be assigned to an org the user can reach | No | | **Applications** | Must be assigned to an org the user can reach | No | | **Feature Flag Projects** | Org-linked: must match a reachable org. Unlinked: visible to all | No | | **Feature Flag Overrides** | Cascades down from the org where it's set (if inherit is on) | **Yes** | *** ## Common Questions **Why can't Kim see an app assigned to Endeavor Health?** Because Endeavor Health is above her in the tree. Access flows downward from your assigned org, never upward. To let Kim see that app, you'd need to assign her at the Endeavor Health level. **Why can Kim see accounts in Nurse Team?** Because Kim was assigned to Pediatric GI with **"Inherit to child organizations"** checked. Nurse Team is a child of Pediatric GI, so it falls within her reachable set. **How do I make an app visible to the entire hospital?** Assign the app to **Endeavor Health** (the top-level org). Then make sure the users who need to see it are assigned at Endeavor Health — or at a level above it — with inherit enabled. **How do feature flag overrides differ from other entities?** Overrides are the only entity where the item itself cascades downward. When you set an override at Pediatric GI with "inherit to children" turned on, every sub-team beneath it receives that override. For accounts, apps, and projects, visibility is determined solely by whether the entity's org falls within the user's reachable set. **Can Kim see anything in Sleep Therapy?** No. Sleep Therapy is a sibling branch — it sits under Endeavor Health alongside Pediatric GI but is not below it. Kim would need a separate assignment to Sleep Therapy (or an assignment at Endeavor Health with inherit) to see anything there. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://accessiq.gitbook.io/accessiq-docs/roles-and-access-control/hrbac-in-practice.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.