'Scoped policies, just like labels, are ordered in the Azure portal. If a user is configured for multiple scopes, an effective policy is computed for that user before it is downloaded. According to the order of the polices, the last policy setting is applied. The labels that the user sees are from the global policy and any additional labels from scoped policies that the user belongs to'
So it looks like you have it right insofar as first level is org (global), second level is department and third level is users in that department.
This article should help you to structure your policies according to your organisation.