Impersonation in SharePoint

Impersonation in SharePoint

 

SharePoint security model makes it easy to programmatically execute code within the current user context.

Just write and deploy web part / event handler code and it runs in the security context of the logged in user. There are even built-in functions that take advantage of the user’s security context – such as GetSubwebsForCurrentUser() – without requiring any extra coding on our part which is simple yet effective security mechanism.

But there are situations when the code needs to be executed with permissions greater than that of the current user (like instantiating a site collection or enumerating list permissions or reading a lookup / configuration list on which user may not have access rights).

In such situations, the code needs to be executed with elevated permission level or under the context of user with higher permissions i.e. Impersonation.

So here are the two approaches for u —-

Executing code as another named user

Process

When we create a SharePoint site programmatically using the Microsoft.SharePoint namespace, we can supply a user token which enables you to create objects in the context of a specific user. You can impersonate a user by supplying the user token for that user, obtained from the Microsoft.SharePoint.SPUser object. The user token, SPUserToken, is a binary object that contains the identification and domain group membership of a user.

This allows you to use the Microsoft.SharePoint.SPSite constructor to instantiate a site collection object that runs as if that user was making changes.

SPSite site = new SPSite(“SiteCollection_Url”);

SPWeb web = site.OpenWeb();

SPUser user = web.AllUsers[“User_Name”];

SPUserToken token = user.UserToken;

SPSite impersonatedSiteCollection = new SPSite(“SiteCollection_Url”, token);

Any objects (SPWeb, SPList, etc) that you create from this impersonated site collection will execute as the impersonated user.

Where to Use –

This Approach is useful to run any code which requires specific permissions to execute that code (like permission for reading a particular list), rather than having a full control access permission.

In such a case, service account can be created by specific access rights just sufficient enough to execute the code.

Caution-

Although impersonation provides a powerful new technique for managing security, it should be used with care to make sure that unwanted activity is not performed by users who shouldn’t have the ability to impersonate.

Executing code with elevated privileges

Process

Method 1 –

Elevation of privilege is a new feature of that enables you to programmatically perform actions in code using an increased level of privilege. The Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges method enables you to supply a delegate that runs a subset of code in the context of an account with higher privileges than the current user.

For example:

1. Define a public method that acts simply as a front end to the method that does the “real” work.

public void ProcessMethod()

{

SPSecurity.CodeToRunElevated elevatedMethod = new SPSecurity.CodeToRunElevated( ProcessMethodAsElevated);

SPSecurity.RunWithElevatedPrivileges(elevatedMethod);

}

The code uses a method from SPSecurity to indicate the name of the method that will run with Full Control(Basically using Application Pool Account).

In the first line, simply pass in the name of the method as the parameter. In the second line, you execute that method with elevated privileges.

2. Now create the method that does the real work. It is called by the first method (delegate), but executes with Full Control(under Application Pool Account):

private void ProcessMethodAsElevated()

{

//code goes here to do our work

}

Method 2 –

We can also implement this method by creating dummy delegate method within a code.

SPSecurity.RunWithElevatedPrivileges(

                        delegate()

                        {

                                    //code goes here to do our work

                           

                        });

 

Where to Use –

This approach can be used in scenarios to read or update Site Collection, Site related objects using Full control in event handlers, features or web parts (i.e. code being executed under SharePoint Context.

Caution-

In this approach, we can’t use any SharePoint objects that were created outside the method or else the impersonation won’t work.

We also can’t use anything like SPControl.GetContextWeb(Context) because that also blows the impersonation out of the water.

Instead, we can tweak it like SPSite site = new SPSite(SPControl.GetContextSite(Context).ID). In this case, we are instantiating a new SPSite object and only using the GUID of the current site. i.e. recreation of the SPSite object with new permissions.

Also, we should dispose of the SPSite object created within the RunWithElevatedPrivileges() before exiting the scope, because that SPSite will still have the SHAREPOINT\system identity even outside of the RunWithElevatedPrivileges() scope.

RunWithElevatedPrivileges() has no effect when running in a standalone exe. 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s