It has become increasingly common for individual and business consumers to receive access to various resources (e.g., devices, services, and/or data) through client-based account systems. In order to access the resource, these account systems generally provide an authentication procedure which involves authenticating the user's account and determining that the user has the right to access the desired resource before they gain access. This often means that each user must have the right to access a particular resource, and that is generally obtained by the user purchasing the right. However, there are many instances in which an authorized user of a resource needs to allow a second user to access that resource, even if the second user does not have the right to access. For example, a user may desire to share a resource with a friend or may need to delegate some responsibility of managing a resource with a colleague or employee.
In such cases, the user may desire to provide full access to the second user, or may need to restrict the second user's access according to a specific role or policy. One way this is done is by utilizing an access control system which includes an administrator that manages user accounts. The administrator may restrict access to each account by assigning roles (i.e., role-based access control) or policies (i.e., attribute-based access control) that grant or deny functions and visibility to each specific user account. This means of access control may be useful for business customers and large accounts, but makes little sense to an individual user due to its complexity. For example, it is not practical for an individual consumer who simply wishes to share access to one of their devices with a friend to employ a complex access control system.