Impersonate another user

 

Applies To: Dynamics 365 (online), Dynamics 365 (on-premises), Dynamics CRM 2016, Dynamics CRM Online

Impersonation is used to execute business logic (code) on behalf of another Microsoft Dynamics 365 user to provide a desired feature or service using the appropriate role and object-based security of that impersonated user. This is necessary because the Microsoft Dynamics 365 Web services can be called by various clients and services on behalf of a Microsoft Dynamics 365 user, for example, in a workflow or custom ISV solution. Impersonation involves two different user accounts: one user account (A) is used when executing code to perform some task on behalf of another user (B).

Required privileges

User account (A) needs the privilege prvActOnBehalfOfAnotherUser, which is included in the Delegate security role.

The actual set of privileges that is used to modify data is the intersection of the privileges that the Delegate role user possesses with that of the user that is being impersonated. In other words, user A is allowed to do something if and only if user A and the impersonated user (B) have the privilege necessary for the action.

Impersonate a user

To impersonate a user, set the CallerId property on an instance of OrganizationServiceProxy before calling the service’s Web methods.

Deployment specific options

Impersonation using a user account in the PrivUserGroup in Active Directory is no longer supported in the on-premises environment.  In our ongoing design enhancement of the security protocol, we developed a better and more secure impersonation method. The new method calls for using a Dynamics 365 user and a Dynamics 365 security role. With this method, the user’s privileges are managed through Dynamics 365 and activities are logged for the user. Please see the following table for details.

Deployment Type

Deployment Type Strategy

Online

  • Use the special application user described in Build web applications using Server-to-Server (S2S) authentication to control the privileges that the Dynamics 365 user has access to.

  • Grant the application user a security role that includes privileges for the tasks this user will perform on behalf of other users and the prvActOnBehalfOfAnotherUser privilege.

On-premises
or
IFD/Claims

Create a new Dynamics 365 user with a security role which includes the prvActOnBehalfOfAnotherUser privilege. Within this security role, also include privileges for the tasks this user account will perform on behalf of other users.

See Also

Authenticate users in Microsoft Dynamics 365
Implement single sign-on from an ASPX webpage or IFRAME
Security role and privilege reference
Security role UI to privilege mapping
How role-based security can be used to control access to entities in Microsoft Dynamics 365
Sample: Impersonate using the ActOnBehalfOf privilege

Microsoft Dynamics 365

© 2017 Microsoft. All rights reserved. Copyright