You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: powerapps-docs/developer/data-platform/impersonate-another-user.md
+8-4Lines changed: 8 additions & 4 deletions
Original file line number
Diff line number
Diff line change
@@ -17,7 +17,7 @@ contributors:
17
17
18
18
Use impersonation to execute business logic on behalf of another Microsoft Dataverse user to provide a desired feature or service using the appropriate role and object-based security of that impersonated user.
19
19
20
-
This is necessary because the Dataverse web services can be called by various clients and services on behalf of a Dataverse user.
20
+
Impersonation can be used by various clients and services to call the Dataverse web services on behalf of a Dataverse user.
21
21
22
22
Impersonation involves two different user accounts:
23
23
@@ -36,15 +36,19 @@ The actual set of privileges that is used to modify data is the intersection of
36
36
37
37
In other words, the *impersonator* is allowed to do something *if and only if* the *impersonator* and the *impersonated user* have the privilege necessary for the action.
38
38
39
+
### Direct assignment required
40
+
41
+
The **Act on Behalf of Another User** privilege (`prvActOnBehalfOfAnotherUser`), or a role containing that privilege, must be assigned directly to users since it can't be inherited through a Team. This direct assignment is needed because of the sensitive nature of the privilege.
42
+
39
43
## Impersonation with Server-to-Server authentication
40
44
41
-
If you are creating a web client application that requires a user account that can act on behalf of a subscribing user, you can use the special *application user* account so that you do not need to use a paid Dataverse user license.
45
+
If you're creating a web client application that requires a user account that can act on behalf of a subscribing user, you can use the special *application user* account so that you don't need to use a paid Dataverse user license.
42
46
43
47
More information: [Build web applications using Server-to-Server (S2S) authentication](build-web-applications-server-server-s2s-authentication.md).
44
48
45
49
## Impersonate another user using the Web API
46
50
47
-
To impersonate a user, add a request header named `CallerObjectId` with a GUID value equal to the impersonated user's Microsoft Entra ID object id before sending the request to the web service. The user's Microsoft Entra ID object id is included in the [SystemUser.AzureActiveDirectoryObjectId](reference/entities/systemuser.md#BKMK_AzureActiveDirectoryObjectId).
51
+
To impersonate a user, add a request header named `CallerObjectId` with a GUID value equal to the impersonated user's Microsoft Entra ID object identifier before sending the request to the web service. The user's Microsoft Entra ID object identifier is included in the [SystemUser.AzureActiveDirectoryObjectId](reference/entities/systemuser.md#BKMK_AzureActiveDirectoryObjectId).
48
52
49
53
More information: [Impersonate another user using the Web API](webapi/impersonate-another-user-web-api.md).
50
54
@@ -59,7 +63,7 @@ To impersonate another user, set the `CallerId` property to the Guid value of th
59
63
60
64
## Impersonate another user using plug-ins
61
65
62
-
You can register a plug-in you can specify a user that the operations should use. Within the code of a plug-in you can override this setting.
66
+
You can register a plug-in containing code to specify the user that the operations should use.
63
67
More information: [Impersonate a user](impersonate-a-user.md).
0 commit comments