This documentation is archived and is not being maintained.


banner art

[Applies to: Microsoft Dynamics CRM 4.0]

Find the latest SDK documentation: CRM 2015 SDK

Impersonation is a technique that is used to execute business logic (code) on behalf of a Microsoft Dynamics CRM user to provide a desired feature or service using the appropriate role and object based security. This is necessary because the Microsoft Dynamics CRM Web services can be called by various clients and services on behalf of a Microsoft Dynamics CRM user, for example, in a workflow or custom ISV solution.

Impersonation involves two different user accounts. One user account (A) is used when executing code to perform some task on behalf of another user (B). To use impersonation, user account (A) under which the impersonation code is to run must be added to the PrivUserGroup group in Active Directory. This group is created by Microsoft Dynamics CRM during installation and setup. User account A does not have to be associated with a licensed Microsoft Dynamics CRM user. However, the user who is being impersonated (B) must be a licensed Microsoft Dynamics CRM user.


The following code example shows you how to use impersonation when you access a Web service.


using System;
using System.Web.Services.Protocols;
using System.Text;
using System.Net;
using System.Xml;

namespace Microsoft.Crm.Sdk.Reference
    // Microsoft Dynamics CRM namespaces
    using CrmSdk;
    using CrmSdk.Discovery;

    public class Impersonation
        public static void Main(string[] args)
            CrmAuthenticationToken token = new CrmAuthenticationToken();
            token.AuthenticationType = 0; // Use Active Directory authentication.
            token.OrganizationName = "AdventureWorksCycle";

            // Use the global user ID of the system user that is to be impersonated.
            token.CallerId = new Guid("94092D6F-B367-DC11-9C93-0003FFDFCE28");

            CrmService crmService = new CrmService();
            crmService.Url = "http://localhost/MSCRMServices/2007/CrmService.asmx";
            crmService.CrmAuthenticationTokenValue = token;
            crmService.Credentials = System.Net.CredentialCache.DefaultCredentials;

            // Create a new account owned by the impersonated user.
            account account = new account();
   = "Fabrikam";
            Guid accountid = crmService.Create(account);

In the previous example, the token.CallerId must be set to the GUID of a Microsoft Dynamics CRM user. This user should have sufficient Microsoft Dynamics CRM security privileges to take the action you are requesting, such as creating or updating an account. This user should have an Access Mode of Full on the User form. An Access Mode of Read-Only will restrict the actions a user can perform regardless of the roles assigned to them. You can find this setting in Microsoft Dynamics CRM by selecting Settings, pointing to Administration, clicking Users, and then opening the User form for the target user.

In the example code, the user account under which the code executes has been added to the PrivUserGroup. Therefore, the default network credentials can be used. If the user account has not been added to PrivUserGroup, you must explicitly specify the network credentials of an account that is in PrivUserGroup as shown in the following example. Substitute the appropriate logon information for the user name, password, and domain.

crmService.Credentials =
new NetworkCredential("PrivUserName","PrivUserPassword","PrivUserDomain")

See Also


© 2010 Microsoft Corporation. All rights reserved.