MSP can identify specific roles and access privileges within the scope of the organization by a single MSP. In this case, they use the same Root CAs and Intermediate CAs for their chain of trust by assigning the OU field to identify members of each organization. Otherwise, an organization also could use different MSPs to manage their members in different channels – for example, ORG.MSP.National and ORG.SMP.International are used to represent the different membership roots of trust within ORG in the national channel compared to the international channel.

Every node(peer or orderer) and the user must have a local MSP defined(only on the file system of the node or user). The local MSPs of the users allow the user to authenticate itself as a member of a channel or as the owner of a specific role into the system. However, channel MSPs define administrative and participatory rights at the channel level. To define an organization on a channel is by adding the organization’s local MSP to the channel configuration. However, a channel MSP is also instantiated on the file system of every node in the channel and kept synchronized via consensus.

MSP level:

• Network MSP: Define the MSPs of the participant organizations and authorized some members to perform administrative tasks.
• Channel MSP: Define who has ability to join the channel, instantiate chaincodes or add/remove organizations.
• Peer MSP: Define which user can install the chaincodes on the peer.
• Orderer MSP: Like a peer MSP and list the actors or nodes it trusts.

Through MSP, it is convenient for enterprise to define business logic and the different level access privileges of all members of respective organizations.

reference: https://hyperledger-fabric.readthedocs.io/en/latest/membership/membership.html