Update: This feature has been deprecated. It will not be available in the next release of Vault.
This is Queen Elizabeth with an important message about bicycle safety.
Ha! Fooled you. I’m just computer programmer/blogger Doug Redmond, as usual. I pretended to be the queen to give an example of impersonation. Please don’t hate me.
The Vault 2013 API now allows you to impersonate other users. It’s a useful feature in certain cases, but it’s not without limitations. I’ll go over the feature so that you know when and when not to impersonate another user.
Basically, impersonation allows an administrator to switch credentials to that of another user without the need to know the other user’s password. When you impersonate another user in Vault, you essentially log out and log back in as the other user. Only administrators can impersonate for obvious reasons. However, the process of impersonation means that you give up your admin rights (unless you impersonate another admin). When you impersonation another user, you are that other user as far as Vault is concerned, including any security limitations.
Your initial set of admin credentials is completely lost after the impersonate. If you want to go back to your old identity, you need to sign-in again. For this reason, you should not use this feature during a custom command or event handler. In those cases, you are sharing a connection, and the parent application is still using that admin login. You can use this feature in a job handler, however. Each job gets its own login, so you are not going to break anything by switching to another user.
The code is fairly straightforward. You call SecurityService.Impersonate() to switch to another user. When the call completes, the credentials on the SecurityService switch to the new user and the old credentials are invalid.
Unfortunately, the WebServiceManager doesn’t have built in support for impersonation. So it’s best to throw away the old manager and create a new one after the impersonate. For example...
m_svcMgr.SecurityService.Impersonate("Guest", "Vault", false, null);
WebServiceCredentials cred = new WebServiceCredentials(m_svcMgr.SecurityService);
m_svcMgr = null;
using (WebServiceManager svcMgr2 = new WebServiceManager(cred))
// do stuff as other user
mgr.SecurityService.Impersonate("Guest", "Vault", false, Nothing)
Dim cred As New WebServiceCredentials(mgr.SecurityService)
mgr = Nothing
Using svcMgr2 As New WebServiceManager(cred)
' do stuff as other user
- Impersonation allows an administrator to switch credentials to that of another user without the need to know the other user’s password.
- Impersonation logs you out of your current session.
- You have all the security limitations of the impersonated user.
- When to use:
- Job Handlers
- Custom EXEs
- When not to use:
- Custom commands
- Event handlers