web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / Impersonation in plugi...
Microsoft Dynamics CRM (Archived)

Impersonation in plugin - Privileges do not apply as expected (e.g. prvActOnBehalfOfAnotherUser) - v2

(0) ShareShare
ReportReport
Posted on by Johannes R 10

Sorry for the broken formatting in the previous post.

According to the documentation there are some requirements concerning impersonation.

https://docs.microsoft.com/en-us/dynamics365/customer-engagement/developer/org-service/impersonate-another-user

a) User account (A) needs the privilege prvActOnBehalfOfAnotherUser, which is included in the Delegate security role.
b) The actual set of privileges that is used to modify data is the intersection of the privileges that the Delegate role user possesses with that of the user that is being impersonated. In other words, user A is allowed to do something if and only if user A and the impersonated user (B) have the privilege necessary for the action.

I cannot observe either of these statements.

  • I created a simple plugin, which queries records of entity X and outputs the count of found records
  • I triggered the plugin with a System Administrator user and the query found all records, say 10. OK.
    • I triggered the plugin with a restricted user A.
    • This user did not have any privileges on entity X.
    • This user did not have the prvActOnBehalfOfAnotherUser privilege
    • As expected, an exception was thrown: Principal user ... is missing prvReadX privilege
  • I triggered the plugin with a restricted user. This time the plugin impersonated as SYSTEM user
  • The plugin executed without exception and found all 10 records.

I wonder:

  • Why is impersonation possible even though user A does not have the prvActOnBehalfOfAnotherUser privilege?
    • -> Contradiction to statement a) of the documentation.
  • Why did the query find records of entity X even though user A does not have read access to any records of entity X?
    • -> Contradiction to statement b) of the documentation.


I used two kinds of impersonation.
1) By the plugin itself at runtime:

var factory = (IOrganizationServiceFactory)localContext.ServiceProvider.GetService(typeof(IOrganizationServiceFactory));
var service = factory.CreateOrganizationService(null);

2) Using the plugin registration tool (Run in users context: SYSTEM)

I reproduced the behavior in Dynamics CRM 2011 and 2016 On Premises. And in Dynamics CRM 365 Online. In the On Premise environments, I did not configure anything special in Active Directory (PrivUserGroup).

Why does the observed behavior not correspond to the documentation?

Thanks!

Johannes.

*This post is locked for comments

I have the same question (0)
  • RaviKashyap Profile Picture
    RaviKashyap 55,410 Moderator on at

    Hi,

    Are you saying that with System users you are abl;e to get the records? If yes then it is expected as System user is the internal user which has admin rights. This user is used for operation which happens outside of CRM like outlook & portals etc.

    Hope this helps.

  • Johannes R Profile Picture
    Johannes R 10 on at

    Hi Ravi,

    thanks for your response.

    > Are you saying that with System users you are able to get the records? 

    Yes, I did several tests with the System user, and also with a user who has assigned the 'System Administrator' security role.

    I am aware that the System user and System Administrator users have elevated privileges and that they can access all records of all entities.

    However, I was not aware that they are not affected by the statements a) and b) of the documentation above. I have never read about that.

    So the complete statements would be like:

    a) User account (A) needs the privilege prvActOnBehalfOfAnotherUser, which is included in the Delegate security role. Except if the impersonated user (B) is the SYSTEM user or a user with the System Administrator security role. In this case user (A) does NOT need the privilege prvActOnBehalfOfAnotherUser.

    b) The actual set of privileges that is used to modify data is the intersection of the privileges that the Delegate role user possesses with that of the user that is being impersonated. In other words, user A is allowed to do something if and only if user A and the impersonated user (B) have the privilege necessary for the action. Except if the impersonated user (B) is the SYSTEM user or a user with the System Adminstrator security role. In this case the actual set of privileges is the full set of the SYSTEM resp. System Administrator user.

    Is this what you meant?

    Best regards,

    Johannes.

  • RaviKashyap Profile Picture
    RaviKashyap 55,410 Moderator on at

    Yes, that exactly what I meant but I believe that is covered in the documentation as doc says the user needs to have permissions which theses users have.

    You can raise this as a document feedback down the same link you shared to have this included in the current text.

    Hope this helps.

  • Johannes R Profile Picture
    Johannes R 10 on at

    Hi Ravi,

    I repeated my tests with the following non-privileged users A and B:

    • User A is member of a single security role Role_A. This role does not contain the prvActOnBehalfOfAnotherUser privilege, and it does NOT contain any privileges for entity X.
    • User B is member of a single security role Role_B. This role does not contain the prvActOnBehalfOfAnotherUser privilege, and it DOES contain organization-wide read privileges for entity X.

    Results:

    • User A triggers the plugin without impersonation
      • OK: The plugin fails with the 'Principal user ... is missing prvReadX privilege' exception, as expected.
    • User A triggers the plugin and impersonates as User B.
      • Unexpected: The impersonation is possible even though user A does not have the prvActOnBehalfOfAnotherUser privilege (documentation statement a).
      • Unexpected: User A sees all records of entity X, even though the documentation says "...is the intersection of the privileges..." (documentation statement b).

    Again, I tested Dynamics CRM 2016 On Premise and Dynamics CRM 365 Online.

    Do you have an explanation for the observed behavior? Am I missing something?

    Best regards,

    Johannes.

  • RaviKashyap Profile Picture
    RaviKashyap 55,410 Moderator on at

    Hi Johannes,

    Based on your test, you are correct. User 'A' should be able to impersonate if missing prvActOnBehalfOfAnotherUser priviledge. This looks like a product bug.

    You can get the confirmation if it is bug by contacting Microsoft Support directly for your D365 Online org using  https://admin.dynamics.com

    Hope this helps.

  • Johannes R Profile Picture
    Johannes R 10 on at

    Hi Ravi,

    thanks for your answers. We may consider contacting Microsoft Support.

    Best regards,

    Johannes.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
SA-08121319-0 Profile Picture

SA-08121319-0 4

#1
Calum MacFarlane Profile Picture

Calum MacFarlane 4

#3
Alex Fun Wei Jie Profile Picture

Alex Fun Wei Jie 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans