What makes these problems challenging is that there are multiple reasonable approaches to the issues. Here are options, none better than the other, for dealing with inheriting permissions from a more 'powerful' resource/zone.
For Resources:
- Write it into the policy 1a. Check a property of the parent resource