Impersonate another user

Article
01/01/2023
2 minutes to read

Use impersonation to execute business logic on behalf of another Microsoft Dataverse user to provide a desired feature or service using the appropriate role and object-based security of that impersonated user.

This is necessary because the Dataverse web services can be called by various clients and services on behalf of a Dataverse user.

Impersonation involves two different user accounts:

Impersonator	Impersonated user
User account used when executing code	User account that the task is being performed on behalf of.

Required privileges

The impersonator needs the privilege Act on Behalf of Another User (prvActOnBehalfOfAnotherUser), which is included in the Delegate security role or can be enabled for any security role.

Note

Remember that users can be associated with more than one security role. Assigning the Delegate security role to a user will grant them the prvActOnBehalfOfAnotherUser privilege as well as the privileges provided by any other security roles associated with the user account.

The actual set of privileges that is used to modify data is the intersection of the privileges that the impersonator user possesses with that of the impersonated user.

In other words, the impersonator is allowed to do something if and only if the impersonator and the impersonated user have the privilege necessary for the action.

Impersonation with Server-to-Server authentication

If you are creating a web client application that requires a user account that can act on behalf of a subscribing user, you can use the special application user account so that you do not need to use a paid Dataverse user license.

More information: Build web applications using Server-to-Server (S2S) authentication.