A resource R is a member of the red hierarchy which consists of its parent A and A’s parent B.
B-A-R
R is also a member of the blue hierarchy which consists of parent X and X’s parent Y.
Y-X-R
R is not a member of the green hierarchy, but A is and so is A’s parent Z.
Z-A
It all should be very simple. There is a set of rules. Each rule has a resource identifier in its target (written as to apply to all descendants) For each evaluation one wants to include a finite set of applicable rules.
Resource identifiers from the applicable rules are included into the "ancestors" attribute. It is always possible to define this set.
That is it. There are no multiple red green or blue "hierarchies" that XACML should be concerned about. It is up to a concrete system to define the exact mapping. For example, one system may want to model all resources as a tree, but restrict the inheritance to be only three levels deep. Another system may maintain multiple hierarchies and use different depending on the time of day. It does not matter. They can always be presented in an "ancestor" attribute form that allows PDP to evaluate the intended policy.
Daniel;