Looking for PowerObjects? Don’t worry, you’re in the right place! We’ve been part of HCL for several years, and we’ve now taken the final step in our acquisition journey: moving our website to the HCL domain. Nothing else is changing – we are still fanatically focused on Microsoft Business Applications!

PowerObjects Blog

for Microsoft Business Applications

Development

Impersonating a Dynamics CRM User in Silverlight

Post Author: Joe D365 | March 13th, 2013

Impersonating a Dynamics CRM user is fairly straightforward in server-side code and using SDK. We have covered it before in the blog post How to Impersonate in Microsoft Dynamics CRM.

But how can we do this in client-side code, specifically Silverlight?

The first obvious approach would be not to use the context to obtain service, but to create your own, and define the username/password for another user in the code. This is widely used in Dynamics CRM portals and many server-side implementations, but we try to avoid this method in client-side applications such as Silverlight.

For that reason, the approach we would use in this case is impersonating the CallerId in the SOAP header of the call. We do not need to know anyone's password or even username, just their CRM GUID:

using (var scope = new OperationContextScope(service.InnerChannel))

{
//Impersonate caller Id
ns = "http://schemas.microsoft.com/xrm/2011/Contracts";
callerGuid = "{AAAAAAAA-0000-0000-0000-000000000000}"); //replace with real GUID
var userHeader = MessageHeader.CreateHeader("CallerId", ns, callerGuid);
OperationContext.Current.OutgoingMessageHeaders.Add(userHeader);
service.CreateAsync(entity);
}

In one implementation of this code, we needed this to have a custom audit of the user's actions in the Silverlight component. If we're going to do this, we want any user action to happen with the user's own context and credentials, so that CRM security is used for the calls and so that we can get the correct "modified by" data. However, we don't want to give the user any unnecessary permissions to the audit entity, or else a malicious user could tamper with the auditing.

So let's run a few tests:

A user with absolutely no permissions for the entity will fail to impersonate:

impersonating a Dynamics CRM user - no permissions

A user will need at least the minimum read/create permission for the entity before the delegation can work:

The created records will be created by and owned by a service user, and "Created By (Delegate)" will be our actual user:

Note that while users have basic permission to the entity, they cannot see any of the created records because they are owned by the service user.

There you go—impersonate away!

If this relevant to your interests, you might also be interested in our Dear Joe CRM post on the differences between JavaScript, Silverlight and Plug-ins for Dynamics CRM.

Happy CRM'ing!

By Joe D365

Joe D365 is a Microsoft Dynamics 365 superhero who runs on pure Dynamics adrenaline. As the face of PowerObjects, Joe D365’s mission is to reveal innovative ways to use Dynamics 365 and bring the application to more businesses and organizations around the world.