Your problem is not a technical problem but merely a modeling one. You need to agree on what your resource is and what your resource hierarchy is.
What I sometimes do is have a resource-type == customer record (in your case) and then a field-id == firstname.
What I'm doing is introducing 2 attributes to model a resource hierarchy:
- resource-type
- field-id
It's one simple way to get things working.
EDIT - sample policy:
policy documentAccess{
target clause resourceType=="document" and actionId=="view"
apply firstApplicable
rule viewSSN{
target clause fieldId=="ssn"
condition subjectId==assignedPerson
permit
}
rule viewBalance{
target clause fieldId=="balance"
condition subjectId==assignedPerson
permit
}
rule viewOtherFields{
target clause fieldSensitive == false
permit
}
}