...

All orgs except the default org have a parent. Think of an Org Chart. If a user has permission on an Org, they also have permission on any descendants of that Org.

As at 3.3.2 we have also allowed a user with permission on a child org to see the items from parent orgs for certain collections. Those are: credentials, dashboards, discovery_scan_options, fields, files, groups, queries, reports, roles, rules, scripts, summaries, widgets. 

Don't forget you have granular control over what users can see and do using Roles in Enterprise.

Active Directory and OpenLDAP

...

When configured correctly, LDAP use can completely remove the need to create users in Open-AudIT. Simply configure Open-AudIT to use LDAP for both authentication and authorization. If the user does not exist in Open-AudIT but does exist in LDAP and their credentials are correct and they are a member of the required groups Open-AudIT will create the user account automatically.