The 2001 edition of X.509 [1] specifies most (but not all) of the components of a Privilege Management Infrastructure (PMI), based on X.509 attribute certificates (ACs).
However, the life cycle of public keys and user privileges are usually very different, and therefore it isn't usually a good idea to combine both of them in the same certificate.
Therefore, it isn't usually a good idea to combine the functions of the SoA/AA and the CA in the same trusted authority.
The first open source implementation of an X.509 PMI was built with funding under the EC PERMIS project, and the software is available from here.
However, they both have similar functionality, which is to strongly bind a set of privilege attributes to a user.