Event Impersonation in SharePoint Foundation 2010

SharePoint 2010

Last modified: April 08, 2010

Applies to: SharePoint Foundation 2010

In Microsoft SharePoint Foundation 2010, the ability to provide event impersonation has been greatly improved.

In earlier versions of SharePoint Foundation, events that occurred when a request was being processed ran in the context of the user whose action raised the event. Generally, this was acceptable; furthermore, if this created a problem, a developer could either revert to using the system account context, or create a new SPSite object for use with a particular user.

In some scenarios, for example, when an active workflow has code that is running with elevated privileges, the code runs in the context of the system account. But in this scenario, when event receiver code needs to run with the credentials of the originating user, SharePoint Foundation 2010 allows you to undo the reversion.

Although ideally there would be "unimpersonated" or "unreverted" events when code to handle such events executes, this behavior is not introduced in SharePoint Foundation 2010 in order to maintain backward compatibility. Rather, we provide the identity (ID) of the originating user and then let the event receiver implementer respond as appropriate.

SharePoint Foundation 2010 also introduces a new property called OriginatingUserToken on the SPEventPropertiesBase class that returns the ID of the originating user. Event code should check for this user by ID, and, optionally, perform behaviors that can potentially cause unexpected effects by using an impersonated site collection with the token of that originating user.