What is Impersonation?
Impersonation is the security feature that enables control of the Identity under which code is executed. Impersonation gives the following advantages:
- Run a high privilege code through a low privilege user
- Record changes in the account of another user
What are the Impersonation methods in SharePoint 2010?
SharePoint 2010 provides the following methods of Impersonation:
- RunWithElevatedPrivileges to impersonate as System Account user
- Passing User Token inside SPSite to impersonate as a particular user
- Using Windows API
Note: System Account (SHAREPOINT\system) is the application pool user of SharePoint. If you are using Developer Installations on client operating systems (Windows 7 / Vista) the account name will be different.
Now let us see how to use the above methods.
- RunWithElevatedPrivileges
This is the most commonly used method to impersonate.
SPSecurity.RunWithElevatedPrivileges(() =>
{
// Your code here
});
Note: In the case of RunWithElevatedPrivileges the System Account is used to perform the activity.
- Passing User Token
SPUserToken is the server model which we use for the purpose. Each user's token can be represented by this class. The User Token is actually a byte array.
The SPUser class contains the property named UserToken. Passing SPUserToken instance into the SPSite constructor impersonates the particular user.
Eg: new SPSite(UrlText.Text, user.UserToken);
For enumerating all the users of a site the web.Users property can be used.
Eg: web.Users
Running the Code
The attached source contains the following samples:
- Enumerate Users
For enumerating users for a given website the following code can be used:
using (SPSite site = new SPSite(UrlText.Text))
{
using (SPWeb web = site.OpenWeb())
{
SPContext context = SPContext.GetContext(web);
var users = context.Web.Users;
// Display to grid
usersGrid.DataSource = users.Cast<SPUser>().ToList<SPUser>();
}
}
On clicking the button we will see the following users as shown below:
- Please note that there are only 2 users for the site I use
- The current user is logged in as Admin
- Create Data Impersonating each User
Now we can try creating list items impersonating each user. The created item will have the system property > Created By set to various users:
The following code does that:
int count = 1;
foreach (SPUser user in web.Users)
{
SPSite newSite = new SPSite(UrlText.Text, user.UserToken); // Impersonate
SPWeb newWeb = newSite.OpenWeb();
SPListItem item = newWeb.Lists[ListName].AddItem();
item["Title"] = "Item " + count++.ToString();
item.Update();
newSite.Dispose();
newWeb.Dispose();
}
On running the code the above we will see the items created as shown below:
- Please note that the Created By property is different for each row
Note: An exception will be thrown if any of the users above do not have write permission.
- Create Data using RunWithElevatedPrivileges
Now we can try creating the list items using a RunWithElevatedPrivileges block. In this case the user is impersonated to be the System Account.
The code for the same is shown below:
SPSecurity.RunWithElevatedPrivileges(() =>
{
using (SPSite site = new SPSite(UrlText.Text))
{
using (SPWeb web = site.OpenWeb())
{
SPListItem item = web.Lists[ListName].AddItem();
item["Title"] = "Item created with RunWithElevatedPriveleges";
item.Update();
// Item will be created with System Account
ShowData(web);
}
}
});
We can see that the new item is created with the System Account as shown below:
References
http://msdn.microsoft.com/en-us/library/aa543158.aspx
Summary
In this article we have explored 2 methods of Impersonation in SharePoint 2010. The associated code contains the example we have discussed.