locked
Impersonation through C# is not working - sending wrong CallingID RRS feed

  • Question

  • Hello,

    I need to modify the UserQuery entity, but per securities I can't update this unless it's updated as each individual user.  So I've written a piece to update it using Impersonation by setting the CallerID.  Below is a snippet of the code:

     using (OrganizationServiceProxy proxy = new OrganizationServiceProxy(SvcMgt, Creds))
                {
    
    		Guid OwnerID = new Guid("0c5b54bb-f2ab-e411-94aa-005056843a89");
    		proxy.CallerId = OwnerID;
    
    		Guid UserQueryId = new Guid((row["UserQueryId"].ToString()));
    		ColumnSet attributes = new ColumnSet(new string[] { "fetchxml"});
    
        		Entity userquery = new Entity("userquery");
    
    		userquery = proxy.Retrieve(userquery.LogicalName, UserQueryId, attributes);
    
    		userquery["fetchxml"] = row["FixedFetchXML"].ToString();
    
      		proxy.Update(userquery);
      		}

    When I run this I get the error below:

    System.ServiceModel.FaultException`1[Microsoft.Xrm.Sdk.OrganizationServiceFault]: 
    SecLib::AccessCheckEx failed. Returned hr = -2147187962, 
    ObjectID: 428e02bb-acb3-e411-94aa-005056843a89, 
    OwnerId: 0c5b54bb-f2ab-e411-94aa-005056843a89,  
    OwnerIdType: 8 and 
    CallingUser: e0d62cbb-86d6-e411-94aa-005056843a89. 
    ObjectTypeCode: 4230, 
    objectBusinessUnitId: 45072abb-5187-e211-86aa-005056b07049, 
    AccessRights: Read
    Access  (Fault Detail is equal to Microsoft.Xrm.Sdk.OrganizationServiceFault).

    The CallingUser is me, but I assumed this would be the user I'm trying to impersonate given I've set that GUID as the CallerID.  What am I missing?

    Thanks in advance for any suggestions.


    • Edited by Sam Alex Monday, April 20, 2015 5:28 PM
    Monday, April 20, 2015 5:25 PM

All replies

  • Does the calling user (the one whose credentials you pass in the first line of posted code) have the prvActOnBehalfOfAnotherUser privilege ?

    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    Monday, April 20, 2015 9:40 PM
    Moderator
  • Does the calling user (the one whose credentials you pass in the first line of posted code) have the prvActOnBehalfOfAnotherUser privilege ?

    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    Thanks.  I'm a System Administrator on the CRM instance, but I just added myself to the Delegate role as well with no luck.  Per this  - https://msdn.microsoft.com/en-us/library/gg334744(v=crm.6).aspx - it looks like adding the Delegate role to my account should give me the prvActOnBehalfOfAnotherUser privilege, but I'm getting the same Permission Denied message. 

    Tuesday, April 21, 2015 1:31 PM
  • It's a good idea, but it may not be possible to update.  From my experience with impersonation, you're still authenticating as a single "admin" user, and then creating/updating records on-behalf of another user.  The system still records the admin user in the CreatedOnBehalOf attribute.

    Have you tried to create a new UserQuery record?  If that works, you could do Delete/Creates instead of Updates.

    Another option, might be to Share (with Update permission) the UserQuery with your admin account before updating it.

    Tuesday, April 21, 2015 2:25 PM
  • Thanks for the options.  What I'm seeing now is my Impersonation code is working when I set the CallerId, but it's not working congruently across all users.  For example I have two users, and I can run the following for one user and it creates the Contact under that user, but if I change the CallerId to another User's GUID it creates the Contact under me and not that second user:

                using (OrganizationServiceProxy proxy = new OrganizationServiceProxy(SvcMgt, Creds))
                {
                    proxy.CallerId = new Guid("BBC683AA-3E8B-E211-98BB-005056B07049");
    
                    Guid NewContact;
                    Entity contact = new Entity("contact");
                    contact["firstname"] = "Test2";
                    contact["lastname"] = "Test2";
                    NewContact = proxy.Create(contact);
                    System.Console.WriteLine(NewContact.ToString());
    }

    At this point I believe my code is valid and working, because under the user that it works on the correct user is setup as the ModifyBy, CreateBy, etc  but I'm setup as the ModifiedOnBehalfBy and CreatedOnBehalfBy.  And I've even tested this with updating the User Query entity, for some I can modify their Query successfully but for the same ones that won't allow me to setup a new Contact for them I can't update the User Query entity as them either.

    So my question now is why does Impersonation work on some users but not on others.  I've compared the profiles of users that it does and doesn't work on, but I can't find any difference.

    Thanks --

    Tuesday, April 21, 2015 5:12 PM