Identity Privilige and Policy

(1) Regarding to identity CCoS attributes:

Why and How AM API impact the IdRepo identity
attributes ?  If so why amUser and amDiscoveryService
are not impacted ?

Please clarify.

(2) Regarding to the realm retrictions to attribute accessing

I really have some questions on Priviliges

(a) Why Priviliges are definied at realm level instead of
   other AM identity container level such as group and role ?

(b) It seems,realm priviliges are setting a all iPlanetAMPolicyService,
   specifically, PolicyCrossReferences for sunAMDelegationService
   within the realm.

   In addition, it sets the PolicyAdmin,RealmReadOnly,DatastoresReadOnly,
   AllUserReadableServices,SelfReadAttributes, SelfWriteAttributes
   Policies to target Identity subjects

(c) policy management is about to create referral policy
   and at realm and sub realm and level.

   ou=OrganizationConfig,ou=1.0,ou=iPlanetAMPolicyService,ou=services,

   Then my question is what are the decision point to define priviliges instead
   of policy at realm level. I mean I can create customer privilige services
   as policy does. Please clarify my confusion.

   Why Privilige does not requires Referral at root level since Privilige
   is about to create policy in nature too.

   Why and What should be defined as Privilige instead of Policy ?