To use FB Security Rules you'll need to compare the auth
data with something in the Firebase (like a list of organizations), but it looks like you are trying to get those on the fly every time. Instead I'd recommend keeping a collection of users
in your Firebase organized by their auth.uid
that have organization lists you can check against:
users
uid1
...
uidX
orgs
org1
...
orgX
So when a user tries to access a given orgX
you can check to see if root.child('users').child(auth.uid).child('orgs/orgX')
exists in your Security Rules.