locked
MS CRM 2011 & 2013 Plugin Impersonation - UserId and InitiatingUserId RRS feed

  • Question

  • Hi all,

    For a plugin that is executed the IExecutionContext consists of 2 id's: UserId and InitiatingUserId

    UserId - "Gets the global unique identifier of the system user for whom the plug-in invokes Web service methods on behalf of"

    InitiatingUserId - "Gets the global unique identifier of the system user account under which the current pipeline is executing. "

    Suppose I have an Update operation (pre or post) and that is registered with the following setting:

     "Run in User's Context" as "Calling User"

    When the plugin is fired the value of the UserId seems to be that of the "SYSTEM" user. Is this account that is related to the application pool identity on the IIS namely the "NETWORK SERVICE" account?

    How do we change this to another account? I am confused as to what is meant by impersonation..

    Regards,

    Stanley

    Tuesday, September 23, 2014 5:01 AM

Answers

  • Plug-ins execute under the security account that is specified on the Identity tab of the CRMAppPool Properties dialog box. By default, CRMAppPool uses the Network Service account identity.

    The two methods that can be employed to impersonate a user:

    1. During Plugin registration:

       One method to impersonate a system user within a plug-in is by specifying the impersonated user during plug-in registration. When registering a plug-in programmatically, if the SdkMessageProcessingStep.ImpersonatingUserId attribute is set to a specific Microsoft Dynamics CRM system user, Web service calls made by the plug-in execute on behalf of the impersonated user. If ImpersonatingUserId is set to a value of null or Guid.Empty during plug-in registration, the calling/logged on user or the standard "system" user is the impersonated user.

     

    1. During Plugin Execution:

    Impersonation that was defined during plug-in registration can be altered in a plug-in at run time. Even if impersonation was not defined at plug-in registration, plug-in code can still use impersonation. The following discussion identifies the key properties and methods that play a role in impersonation when making Web service method calls in a plug-in.

    The platform passes the impersonated user ID to a plug-in at run time through the UserId property. This property can have one of three different values as described below:

     

    Condition>> 

    if(The SdkMessageProcessingStep.ImpersonatingUserId attribute is set to null or Guid.Empty at plug-in registration.)

          Then User Id Value will be>> Initiating user or "system" user

     

    If(The ImpersonatingUserId property is set to a valid system user ID at plug-in registration.)

         Then User Id Value will be>> Impersonated user.

     

    If(The current pipeline was executed by the platform, not in direct response to a service method call.

         Then User Id Value will be>> "system" user

     

    If you specify an impersonated user during plug-in registration, you should set up the service proxy in the plug-in by passing a value of true to the CreateOrganizationService method. a value of true indicates to use the ID in the IPluginExecutionContext.UserId property as the impersonated user. The following code example shows how to do this.

     

    Example

    [C#]  IOrganizationService service = factory.CreateOrganizationService (true);

    This is equivalent to the following code:

    Example

    [C#] IOrganizationService service = factory.CreateOrganizationService(context.UserId);

    To ignore any impersonating user set during plug-in registration, use the following code.

     Example

    [C#] IOrganizationService service = factory.CreateOrganizationService(false);

    When a value of false is passed the platform uses the built-in "system" account to execute Web service method calls made by your plug-in code.

     

    The InitiatingUserId property of the execution context contains the ID of the system user that called the service method that ultimately caused the plug-in to execute.

     

    IOrganizationService service = factory.CreateOrganizationService(context. InitiatingUserId );

     

     Refer SDK for more Info.


    • Edited by Kalim Khan Tuesday, September 23, 2014 11:54 AM
    • Marked as answer by Stanley_Lai Tuesday, September 23, 2014 11:56 PM
    Tuesday, September 23, 2014 11:45 AM

All replies

  • If you are using 2013 then you can use this feature:-


    Regards Faisal

    This is for workflows
    • Edited by Faisal Fiaz Tuesday, September 23, 2014 8:37 AM
    Tuesday, September 23, 2014 8:37 AM
  • Thanks but I'm working with plugins for now.

    Tuesday, September 23, 2014 9:44 AM
  • Plug-ins execute under the security account that is specified on the Identity tab of the CRMAppPool Properties dialog box. By default, CRMAppPool uses the Network Service account identity.

    The two methods that can be employed to impersonate a user:

    1. During Plugin registration:

       One method to impersonate a system user within a plug-in is by specifying the impersonated user during plug-in registration. When registering a plug-in programmatically, if the SdkMessageProcessingStep.ImpersonatingUserId attribute is set to a specific Microsoft Dynamics CRM system user, Web service calls made by the plug-in execute on behalf of the impersonated user. If ImpersonatingUserId is set to a value of null or Guid.Empty during plug-in registration, the calling/logged on user or the standard "system" user is the impersonated user.

     

    1. During Plugin Execution:

    Impersonation that was defined during plug-in registration can be altered in a plug-in at run time. Even if impersonation was not defined at plug-in registration, plug-in code can still use impersonation. The following discussion identifies the key properties and methods that play a role in impersonation when making Web service method calls in a plug-in.

    The platform passes the impersonated user ID to a plug-in at run time through the UserId property. This property can have one of three different values as described below:

     

    Condition>> 

    if(The SdkMessageProcessingStep.ImpersonatingUserId attribute is set to null or Guid.Empty at plug-in registration.)

          Then User Id Value will be>> Initiating user or "system" user

     

    If(The ImpersonatingUserId property is set to a valid system user ID at plug-in registration.)

         Then User Id Value will be>> Impersonated user.

     

    If(The current pipeline was executed by the platform, not in direct response to a service method call.

         Then User Id Value will be>> "system" user

     

    If you specify an impersonated user during plug-in registration, you should set up the service proxy in the plug-in by passing a value of true to the CreateOrganizationService method. a value of true indicates to use the ID in the IPluginExecutionContext.UserId property as the impersonated user. The following code example shows how to do this.

     

    Example

    [C#]  IOrganizationService service = factory.CreateOrganizationService (true);

    This is equivalent to the following code:

    Example

    [C#] IOrganizationService service = factory.CreateOrganizationService(context.UserId);

    To ignore any impersonating user set during plug-in registration, use the following code.

     Example

    [C#] IOrganizationService service = factory.CreateOrganizationService(false);

    When a value of false is passed the platform uses the built-in "system" account to execute Web service method calls made by your plug-in code.

     

    The InitiatingUserId property of the execution context contains the ID of the system user that called the service method that ultimately caused the plug-in to execute.

     

    IOrganizationService service = factory.CreateOrganizationService(context. InitiatingUserId );

     

     Refer SDK for more Info.


    • Edited by Kalim Khan Tuesday, September 23, 2014 11:54 AM
    • Marked as answer by Stanley_Lai Tuesday, September 23, 2014 11:56 PM
    Tuesday, September 23, 2014 11:45 AM
  • Brilliant response, well done !

    Sorry, got a few more questions :)

    1. During plugin registration how do I set the value of SdkMessageProcessingStep.ImpersonatingUserId ?

    Does this correspond to the field "Run in User's Context" of the plugin registration tool? 

    It seems like this is always defaulted to "Calling user" which in turn means the user who initiated the plugin operation?

    In this case then the value of the UserId would be = Intiating User if I enable impersonation when the plugin is executed?

    2. For the "SYSTEM" user account does this have full system admin permissions (highest level) in CRM?

    • Edited by Stanley_Lai Wednesday, September 24, 2014 12:10 AM
    Tuesday, September 23, 2014 11:56 PM