Impersonate another user using the Web API

Dynamics CRM 2016
 

Updated: November 29, 2016

Applies To: Dynamics 365 (online), Dynamics 365 (on-premises), Dynamics CRM 2016, Dynamics CRM Online

There are times when your code will need to perform operations on behalf of another user. If the system account running your code has the necessary privileges, you can perform operations on behalf of other users.

Impersonation is used to execute business logic (code) on behalf of another Microsoft Dynamics 365 user to provide a desired feature or service using the appropriate role and object-based security of that impersonated user. This is necessary because the Microsoft Dynamics 365 Web services can be called by various clients and services on behalf of a Dynamics 365 user, for example, in a workflow or custom ISV solution. Impersonation involves two different user accounts: one user account (A) is used when executing code to perform some task on behalf of another user (B).

User account (A) needs the prvActOnBehalfOfAnotherUser privilege, which is included in the Delegate security role. The actual set of privileges that is used to modify data is the intersection of the privileges that the Delegate role user possesses with that of the user who is being impersonated. In other words, user (A) is allowed to do something if and only if user (A) and the impersonated user (B) have the privilege necessary for the action.

To impersonate a user, add a request header named MSCRMCallerID with a GUID value equal to the impersonated user’s systemuserid before sending the request to the web service. In this example, a new account entity is created on behalf of the user with systemuserid 00000000-0000-0000-000000000002.

Request
POST [Organization URI]/api/data/v8.2/accounts HTTP/1.1
MSCRMCallerID: 00000000-0000-0000-000000000002
Accept: application/json
Content-Type: application/json; charset=utf-8
OData-MaxVersion: 4.0
OData-Version: 4.0

{"name":"Sample Account created using impersonation"}
Response
HTTP/1.1 204 No Content
OData-Version: 4.0
OData-EntityId: [Organization URI]/api/data/v8.2/accounts(00000000-0000-0000-000000000003)

When an operation such as creating an entity is performed using impersonation, the user who actually performed the operation can be found by querying the record including the createdonbehalfby single-valued navigation property. A corresponding modifiedonbehalfby single-valued navigation property is available for operations that update the entity.

Request
GET [Organization URI]/api/data/v8.2/accounts(00000000-0000-0000-000000000003)?$select=name&$expand=createdby($select=fullname),createdonbehalfby($select=fullname),owninguser($select=fullname) HTTP/1.1 
Accept: application/json
OData-MaxVersion: 4.0
OData-Version: 4.0

Response
HTTP/1.1 200 OK
Content-Type: application/json; odata.metadata=minimal
ETag: W/"506868"

{
    "@odata.context": "[Organization URI]/api/data/v8.2/$metadata#accounts(name,createdby,createdonbehalfby,owninguser,createdby(fullname),createdonbehalfby(fullname),owninguser(fullname))/$entity",
    "@odata.etag": "W/\"506868\"",
    "name": "Sample Account created using impersonation",
    "accountid": "00000000-0000-0000-000000000003",
    "createdby": {
        "@odata.etag": "W/\"506834\"",
        "fullname": "Impersonated User",
        "systemuserid": "00000000-0000-0000-000000000002",
        "ownerid": "00000000-0000-0000-000000000002"
    },
    "createdonbehalfby": {
        "@odata.etag": "W/\"320678\"",
        "fullname": "Actual User",
        "systemuserid": "00000000-0000-0000-000000000001",
        "ownerid": "00000000-0000-0000-000000000001"
    },
    "owninguser": {
        "@odata.etag": "W/\"506834\"",
        "fullname": "Impersonated User",
        "systemuserid": "00000000-0000-0000-000000000002",
        "ownerid": "00000000-0000-0000-000000000002"
    }
}

Microsoft Dynamics 365

© 2016 Microsoft. All rights reserved. Copyright

Show: