I didn’t find the API about CRUD on a user`s II-key.
On the IC, you don’t assign things to an ID. You make things accessible to a certain identity. Therefore, e.g. to transfer ICP to a user, you send the ICP to an account that is accessible to that identity. If that identity then tries to transfer the ICP out, then they are allowed to do that. The same works for other assets too, like canisters