Further invocations and delegations are made by B by combining both the privileges of A (using delegation certificate DCab) and B (by providing necessary role certificates or identity certificates). In other words, B represents A by combining the privileges of both A and B. Any target receiving a request from B will base its access decision on A being a initiator and B being a delegate, with the combined privileges of both A and B.