Great question. These three mechanisms get conflated a lot, so let me break down how they actually work and where they overlap.

First, a version check that matters here. Entity-Based Access is only available on Xanadu Patch 9+, Yokohama Patch 2+, and Zurich. If you are on an earlier release, your access control options are User Hierarchy and Confidentiality only. This changes the answer depending on what version you are running.

Second, the key thing most people miss. Entity-Based Access and User Hierarchy cannot be enabled at the same time. They are mutually exclusive. So the question is not really how all three interact simultaneously. It is about which access model you choose, and then how Confidentiality layers on top.

Entity-Based Access restricts visibility based on the entity structure. Users assigned to an entity can see all related records such as risks, controls, issues, and more scoped to that entity and its downstream entities. Users outside that configuration see nothing. This is your horizontal segmentation, separating business units, regions, or departments so teams only see what is relevant to them.

User Hierarchy restricts visibility based on reporting relationships. A user sees their own assigned records plus anything assigned to their direct reports rolling up to them. Managers get visibility into their team’s work, but it does not flow the other way. This is vertical segmentation within a single organizational path.

Confidentiality operates at the record level and takes precedence over whichever access model you have enabled. When a record is marked confidential, only users on the Allowed Users or Allowed Groups list, or those with the sn_grc.confidential_user role, can access it regardless of their entity assignment or hierarchy position. Important to note that once confidentiality is enabled, it cannot be turned off.

Practical example to tie it together.

Say you have an HR department managing Onboarding and Payroll as separate entities. If Payroll staff should only see Payroll data and Onboarding staff should only see Onboarding data, that is Entity-Based Access segmenting by entity.

Alternatively, if you need the Onboarding manager to only see records assigned to her direct reports, with visibility rolling up but not down, that is User Hierarchy.

Now regardless of which model you chose, if executive compensation records in Payroll need to be locked down so only the department head can see them, that is Confidentiality applied at the record level, overriding whatever access model is in place.

Bottom line. Choose between Entity-Based Access and User Hierarchy based on whether your primary concern is entity-level segmentation or reporting-line visibility, and confirm your version supports Entity-Based Access if that is your path. Then layer Confidentiality on top for sensitive records that need a final gate. Confidentiality always wins.
Hope this helps.

Happy to dig deeper if you have a specific implementation scenario in mind.