Plug-ins not executed by sandbox or asynchronous service execute under CRMAppPool Identity service account. By default, CRMAppPool uses Network Service account but it can be changed by the administrator. If it is changed then administrator will need to add this identity account to the PrivUserGroup in the Active Directory.
Impersonation during Plug-in Registration
A user can be impersonated during the plug-in registration, administrator can specify a user account to execute the plug-in.If the plug-in is getting registered programmatically then impersonation can be done by setting the property ImpersonatingUserId to a specific user, web service calls made by the plug-in execute on behalf of the impersonated user.
Impersonation during Plug-in Execution
Impersonation defined at the registration level can be overridden at run time during plug-in execution.
For security purposes, the plug-ins can also be impersonated as the user who actually initiated this process/plug-in (by doing a specific action within the CRM application) by using the property InitiatingUserId.
// Get a reference to the Organization service.
IOrganizationServiceFactory factory = (IOrganizationServiceFactory)serviceProvider.GetService(typeof IOrganizationServiceFactory));
IOrganizationService service = factory.CreateOrganizationService(context.InitiatingUserId);
Refer to Microsoft's documentation for more information.
No comments:
Post a Comment