Impersonate another user
Effective November 2020:
- Common Data Service has been renamed to Microsoft Dataverse. Learn more
- Some terminology in Microsoft Dataverse has been updated. For example, entity is now table and field is now column. Learn more
This article will be updated soon to reflect the latest terminology.
Use impersonation to execute business logic on behalf of another Microsoft Dataverse user to provide a desired feature or service using the appropriate role and object-based security of that impersonated user.
This is necessary because the Dataverse web services can be called by various clients and services on behalf of a Dataverse user.
Impersonation involves two different user accounts:
|User account used when executing code||User account that the task is being performed on behalf of.|
The impersonator needs the privilege Act on Behalf of Another User (
prvActOnBehalfOfAnotherUser), which is included in the Delegate security role or can be enabled for any security role.
Remember that users can be associated with more than one security role. Assigning the Delegate security role to a user will grant them the
prvActOnBehalfOfAnotherUser privilege as well as the privileges provided by any other security roles associated with the user account.
The actual set of privileges that is used to modify data is the intersection of the privileges that the impersonator user possesses with that of the impersonated user.
In other words, the impersonator is allowed to do something if and only if the impersonator and the impersonated user have the privilege necessary for the action.
Impersonation with Server-to-Server authentication
If you are creating a web client application that requires a user account that can act on behalf of a subscribing user, you can use the special application user account so that you do not need to use a paid Dataverse user license.
More information: Build web applications using Server-to-Server (S2S) authentication.
Impersonate another user using the Web API
To impersonate a user, add a request header named
CallerObjectId with a GUID value equal to the impersonated user's Azure Active Directory (AAD) object id before sending the request to the web service. The user's AAD object id is included in the SystemUser.AzureActiveDirectoryObjectId.
More information: Impersonate another user using the Web API.
Impersonate another user using the Organization service
To impersonate another user, set the
CallerId property to the Guid value of the impersonated user. The following classes that implement IOrganizationService include this property.
Impersonate another user using Plug-ins
You can register a plug-in you can specify a user that the operations should use. Within the code of a plug-in you can override this setting. More information: Impersonate a user.