Impersonate another user

Impersonation is used to execute business logic (code) on behalf of another Dynamics 365 for Customer Engagement user to provide a desired feature or service using the appropriate role and object-based security of that impersonated user. This is necessary because the Dynamics 365 for Customer Engagement Web services can be called by various clients and services on behalf of a Dynamics 365 for Customer Engagement user, for example, in a workflow or custom ISV solution. Impersonation involves two different user accounts: one user account (A) is used when executing code to perform some task on behalf of another user (B).

More information can be found in the Dataverse topic Impersonate another user.

Required privileges

User account (A) needs the privilege prvActOnBehalfOfAnotherUser, which is included in the Delegate security role.

The actual set of privileges that is used to modify data is the intersection of the privileges that the Delegate role user possesses with that of the user that is being impersonated. In other words, user A is allowed to do something if and only if user A and the impersonated user (B) have the privilege necessary for the action.

Impersonate a user

To impersonate a user, set the CallerId property on an instance of OrganizationServiceProxy before calling the service’s Web methods.

Deployment specific options

Impersonation using a user account in the PrivUserGroup in Active Directory is no longer supported in the on-premises environment. In our ongoing design enhancement of the security protocol, we developed a better and more secure impersonation method. The new method calls for using a Dynamics 365 for Customer Enagement apps user and a Dynamics 365 for Customer Engagement (on-premises) security role. With this method, the user’s privileges are managed through Dynamics 365 for Customer Engagement (on-premises) and activities are logged for the user. Please see the following table for details.

Deployment Type Deployment Type Strategy
Create a new Dynamics 365 user with a security role which includes the prvActOnBehalfOfAnotherUser privilege. Within this security role, also include privileges for the tasks this user account will perform on behalf of other users.

See also

Authenticate Users with Dynamics 365 Customer Engagement Web Services
Implement Single Sign-on from an ASPX Webpage or IFRAME
How Role-Based Security Can Be Used to Control Access to Entities In Dynamics 365 Customer Engagement (on-premises)
Sample: Impersonation using the ActOnBehalfOf privilege