# <serviceAuthorization> element

<system.ServiceModel>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceAuthorization>

## Syntax

<serviceAuthorization impersonateCallerForAllOperations="Boolean"
principalPermissionMode="None/UseWindowsGroups/UseAspNetRoles/Custom"
roleProviderName="String"
serviceAuthorizationManagerType="String">
<authorizationPolicies>
</authorizationPolicies>
</serviceAuthorization>


## Attributes and Elements

The following sections describe attributes, child elements, and parent elements.

### Attributes

Attribute Description
impersonateCallerForAllOperations A Boolean value that specifies if all the operations in the service impersonate the caller. The default is false.

When a specific service operation impersonates the caller, the thread context is switched to the caller context before executing the specified service.
principalPermissionMode Sets the principal used to carry out operations on the server. Values include the following:

- None
- UseWindowsGroups
- UseAspNetRoles
- Custom

The default value is UseWindowsGroups. The value is of type PrincipalPermissionMode. For more information on using this attribute, see How to: Restrict Access with the PrincipalPermissionAttribute Class.
roleProviderName A string that specifies the name of the role provider, which provides role information for a Windows Communication Foundation (WCF) application. The default is an empty string.
ServiceAuthorizationManagerType A string containing the type of the service authorization manager. For more information, see ServiceAuthorizationManager.

### Child Elements

Element Description
authorizationPolicies Contains a collection of authorization policy types, which can be added using the add keyword. Each authorization policy contains a single required policyType attribute that is a string. The attribute specifies an authorization policy, which enables transformation of one set of input claims into another set of claims. Access control can be granted or denied based on that. For more information, see AuthorizationPolicyTypeElement.

### Parent Elements

Element Description
<behavior> Contains a collection of settings for the behavior of a service.

## Remarks

This section contains elements affecting authorization, custom role providers, and impersonation.

The principalPermissionMode attribute specifies the groups of users to use when authorizing use of a protected method. The default value is UseWindowsGroups and specifies that Windows groups, such as "Administrators" or "Users," are searched for an identity trying to access a resource. You can also specify UseAspNetRoles to use a custom role provider that is configured under the <system.web> element, as shown in the following code.

<system.web>
<membership defaultProvider="SqlProvider"
userIsOnlineTimeWindow="15">
<providers>
<clear />
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="SqlConn"
applicationName="MembershipProvider"
requiresUniqueEmail="true"
</providers>
</membership>
<!-- Other configuration code not shown. -->
</system.web>


The following code shows the roleProviderName used with the principalPermissionMode attribute.

<behaviors>
<behavior name="ServiceBehaviour">
<serviceAuthorization principalPermissionMode ="UseAspNetRoles"
roleProviderName ="SqlProvider" />
</behavior>
<!-- Other configuration code not shown. -->
</behaviors>


For a detailed example of using this configuration element, see Authorizing Access to Service Operations and Authorization Policy.