Impersonate another user
Updated: November 29, 2016
Applies To: Dynamics 365 (online), Dynamics 365 (on-premises), Dynamics CRM 2016, Dynamics CRM Online
Impersonation is used to execute business logic (code) on behalf of another Microsoft Dynamics 365 user to provide a desired feature or service using the appropriate role and object-based security of that impersonated user. This is necessary because the Microsoft Dynamics 365 Web services can be called by various clients and services on behalf of a Microsoft Dynamics 365 user, for example, in a workflow or custom ISV solution. Impersonation involves two different user accounts: one user account (A) is used when executing code to perform some task on behalf of another user (B).
User account (A) needs the privilege prvActOnBehalfOfAnotherUser, which is included in the Delegate role.
Alternately, for Active Directory directory service deployments only, user account (A) under which the impersonation code is to run can be added to the PrivUserGroup group in Active Directory. This group is created by Microsoft Dynamics 365 during installation and setup. User account (A) does not have to be associated with a licensed Microsoft Dynamics 365 user. However, the user who is being impersonated (B) must be a licensed Microsoft Dynamics 365 user.
The actual set of privileges that is used to modify data is the intersection of the privileges that the Delegate role user possesses with that of the user that is being impersonated. In other words, user A is allowed to do something if and only if user A and the impersonated user (B) have the privilege necessary for the action.
Authenticate users in Microsoft Dynamics 365
Implement single sign-on from an ASPX webpage or IFRAME
Security role and privilege reference
Security role UI to privilege mapping
How role-based security can be used to control access to entities in Microsoft Dynamics 365
Sample: Impersonate using the ActOnBehalfOf privilege
Microsoft Dynamics 365
© 2016 Microsoft. All rights reserved. Copyright