Skip to main content

Notifications

Announcements

No record found.

Microsoft Dynamics CRM (Archived)

Impersonation in plugin - Privileges do not apply as expected (e.g. prvActOnBehalfOfAnotherUser) - v2

(0) ShareShare
ReportReport
Posted on by 10

Sorry for the broken formatting in the previous post.

According to the documentation there are some requirements concerning impersonation.

https://docs.microsoft.com/en-us/dynamics365/customer-engagement/developer/org-service/impersonate-another-user

a) User account (A) needs the privilege prvActOnBehalfOfAnotherUser, which is included in the Delegate security role.
b) The actual set of privileges that is used to modify data is the intersection of the privileges that the Delegate role user possesses with that of the user that is being impersonated. In other words, user A is allowed to do something if and only if user A and the impersonated user (B) have the privilege necessary for the action.

I cannot observe either of these statements.

  • I created a simple plugin, which queries records of entity X and outputs the count of found records
  • I triggered the plugin with a System Administrator user and the query found all records, say 10. OK.
    • I triggered the plugin with a restricted user A.
    • This user did not have any privileges on entity X.
    • This user did not have the prvActOnBehalfOfAnotherUser privilege
    • As expected, an exception was thrown: Principal user ... is missing prvReadX privilege
  • I triggered the plugin with a restricted user. This time the plugin impersonated as SYSTEM user
  • The plugin executed without exception and found all 10 records.

I wonder:

  • Why is impersonation possible even though user A does not have the prvActOnBehalfOfAnotherUser privilege?
    • -> Contradiction to statement a) of the documentation.
  • Why did the query find records of entity X even though user A does not have read access to any records of entity X?
    • -> Contradiction to statement b) of the documentation.


I used two kinds of impersonation.
1) By the plugin itself at runtime:

var factory = (IOrganizationServiceFactory)localContext.ServiceProvider.GetService(typeof(IOrganizationServiceFactory));
var service = factory.CreateOrganizationService(null);

2) Using the plugin registration tool (Run in users context: SYSTEM)

I reproduced the behavior in Dynamics CRM 2011 and 2016 On Premises. And in Dynamics CRM 365 Online. In the On Premise environments, I did not configure anything special in Active Directory (PrivUserGroup).

Why does the observed behavior not correspond to the documentation?

Thanks!

Johannes.

*This post is locked for comments

  • Johannes R Profile Picture
    Johannes R 10 on at
    RE: Impersonation in plugin - Privileges do not apply as expected (e.g. prvActOnBehalfOfAnotherUser) - v2

    Hi Ravi,

    thanks for your answers. We may consider contacting Microsoft Support.

    Best regards,

    Johannes.

  • RaviKashyap Profile Picture
    RaviKashyap 55,410 on at
    RE: Impersonation in plugin - Privileges do not apply as expected (e.g. prvActOnBehalfOfAnotherUser) - v2

    Hi Johannes,

    Based on your test, you are correct. User 'A' should be able to impersonate if missing prvActOnBehalfOfAnotherUser priviledge. This looks like a product bug.

    You can get the confirmation if it is bug by contacting Microsoft Support directly for your D365 Online org using  https://admin.dynamics.com

    Hope this helps.

  • Johannes R Profile Picture
    Johannes R 10 on at
    RE: Impersonation in plugin - Privileges do not apply as expected (e.g. prvActOnBehalfOfAnotherUser) - v2

    Hi Ravi,

    I repeated my tests with the following non-privileged users A and B:

    • User A is member of a single security role Role_A. This role does not contain the prvActOnBehalfOfAnotherUser privilege, and it does NOT contain any privileges for entity X.
    • User B is member of a single security role Role_B. This role does not contain the prvActOnBehalfOfAnotherUser privilege, and it DOES contain organization-wide read privileges for entity X.

    Results:

    • User A triggers the plugin without impersonation
      • OK: The plugin fails with the 'Principal user ... is missing prvReadX privilege' exception, as expected.
    • User A triggers the plugin and impersonates as User B.
      • Unexpected: The impersonation is possible even though user A does not have the prvActOnBehalfOfAnotherUser privilege (documentation statement a).
      • Unexpected: User A sees all records of entity X, even though the documentation says "...is the intersection of the privileges..." (documentation statement b).

    Again, I tested Dynamics CRM 2016 On Premise and Dynamics CRM 365 Online.

    Do you have an explanation for the observed behavior? Am I missing something?

    Best regards,

    Johannes.

  • RaviKashyap Profile Picture
    RaviKashyap 55,410 on at
    RE: Impersonation in plugin - Privileges do not apply as expected (e.g. prvActOnBehalfOfAnotherUser) - v2

    Yes, that exactly what I meant but I believe that is covered in the documentation as doc says the user needs to have permissions which theses users have.

    You can raise this as a document feedback down the same link you shared to have this included in the current text.

    Hope this helps.

  • Johannes R Profile Picture
    Johannes R 10 on at
    RE: Impersonation in plugin - Privileges do not apply as expected (e.g. prvActOnBehalfOfAnotherUser) - v2

    Hi Ravi,

    thanks for your response.

    > Are you saying that with System users you are able to get the records? 

    Yes, I did several tests with the System user, and also with a user who has assigned the 'System Administrator' security role.

    I am aware that the System user and System Administrator users have elevated privileges and that they can access all records of all entities.

    However, I was not aware that they are not affected by the statements a) and b) of the documentation above. I have never read about that.

    So the complete statements would be like:

    a) User account (A) needs the privilege prvActOnBehalfOfAnotherUser, which is included in the Delegate security role. Except if the impersonated user (B) is the SYSTEM user or a user with the System Administrator security role. In this case user (A) does NOT need the privilege prvActOnBehalfOfAnotherUser.

    b) The actual set of privileges that is used to modify data is the intersection of the privileges that the Delegate role user possesses with that of the user that is being impersonated. In other words, user A is allowed to do something if and only if user A and the impersonated user (B) have the privilege necessary for the action. Except if the impersonated user (B) is the SYSTEM user or a user with the System Adminstrator security role. In this case the actual set of privileges is the full set of the SYSTEM resp. System Administrator user.

    Is this what you meant?

    Best regards,

    Johannes.

  • RaviKashyap Profile Picture
    RaviKashyap 55,410 on at
    RE: Impersonation in plugin - Privileges do not apply as expected (e.g. prvActOnBehalfOfAnotherUser) - v2

    Hi,

    Are you saying that with System users you are abl;e to get the records? If yes then it is expected as System user is the internal user which has admin rights. This user is used for operation which happens outside of CRM like outlook & portals etc.

    Hope this helps.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Congratulations 2024 Spotlight Honorees

Kudos to all of our 2024 community stars! 🎉

Meet the Top 10 leaders for December

Congratulations to our December super stars! 🥳

Start Your Super User Journey Pt 2

Join the ranks of our community heros! 🦹

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 291,820 Super User 2024 Season 2

#2
Martin Dráb Profile Picture

Martin Dráb 230,514 Most Valuable Professional

#3
nmaenpaa Profile Picture

nmaenpaa 101,156

Leaderboard

Featured topics

Product updates

Dynamics 365 release plans