Friday, February 28, 2014

Impersonation in SharePoint

We normally follow different approaches to update the SharePoint items or any property of web. Approaches like running piece of code with elevated privileges OR allows unsafe updates OR Uses User Tokens. As SharePoint developer we should know what happens at each approach.

RunWithElevatedPrivilages:
This is a static method in SPSecurity class. This method can be used to run piece of code with system account/application pool account access through delegation. This method runs under the Application Pool identity, which has site collection administrator privileges on all site collections hosted by that application pool. As well as this allow to access other resources like network shared location, data sources.

AllowUnsafeUpdate:
This is a property of SPWeb class. Using this property we can get or set the unsafe update behavior. At the same time the updates only acceptable in the SPWeb boundary. This is used for Gets or sets a Boolean value that specifies whether to allow updates to the database as a result of a GET request or without requiring a security validation.

UserToken:

This is another way of impersonation.  This approach can be followed if the custom code want to access data with in the boundary. For example when we use RunWithElevatedPrivilages it  grant access beyond boundary like other data sources.