Question regarding resource hierarchies

[Laird Nelson <ljnelson@gmail.com>]

This may be a bit off-topic for this list.  If so, please feel free to redirect me elsewhere.

From my early-days understanding of the XACML specification, XACML specifies how PEPs and PDPs cooperate to render authorization decisions based on supplied resources and resource hierarchies (and subjects and a few other things).

But none of this specification says anything, right, about setting up such resource hierarchies?

So if, in my fictional world, I decide that I'm going to set some policies at the department level that should be applied to courses (i.e. that subjects employed by the school may edit their own departmental assets, of which a course is but one type), then it is incumbent upon me to figure out how to send along the proper resource to the XACML processors such that they can render a decision.

I guess a final way to phrase my question is: XACML specifies the structure of the rules and policies involved, but says nothing about how the resources upon which those rules and policies operate are stored, set up, accessed, etc.

Please do correct me if I am mistaken.

Best,
Laird