Impersonate as another user in .NET SDK-based RecordAddIn

Hi guys,

 

In a .NET RecordAddin I am trying to modify record notes, however we don't want to give end user record admin access to modify Record Notes, so obvioiusly this would cause "Access Denied" error when the RecordAddIn is trying to modify notes. So i thought i'll let the RecordAddIn emulate as an TRIM admin when modifying Record Notes through the TRIMDB.ConnectAs(username, password) method, but so far no joy. In the user profile I've give the user permission to impersonate as another user under Miscellanous, and enabled user to be impersonated, but still getting following error:

 

Error connecting to TRIM dataset 'test' on workgroup 'workgroup5'. Remote: Impersonated logon failed. The account AAA\jsmith is not trusted to impersonate other HP TRIM users. 

 

so i then tested adding AAA\jsmith to the trusted user on TRIM enterprise studio, that fixed the above problem, (but i hate to add every single user as a trusted user if that's what i have to do). I then created a TRIM administrator, and call TRIMDB.ConnectAs(username, pwd) to emulate as the TRIM administrator. However I'm still getting the access denied error when attempting to modify Record Notes using Record.Notes = "some new string".

 

So my question is:

1. how would you guys go about allowing RecordAddIn modify RecordNotes while not giving user full Record Notes access?

2. if you go via the emulate route, is there a way to allow let RecordAddIn to emulate as another user without adding that user as a trusted user? and why even when emulated as an administrator, i'm still getting access denied error when modifying record notes?

 

Sorry about my wordy problem, any help is greatly appreciated 

 

Thanks,

Richard

 

 

 

 

 

Parents
  • A different way of looking at your solution (appologies if you have already gone down this track and ruled it out)

     

    I would look at doing this at the server as an event manager addin.

     

    Let the user write the notes that want to add to the record notes in an additional text filed called UserNotes. in the event manager that runs as an Administrator, look for the UdfField changed event. The copy the notes from that field on to the records notes (you can append or prepend, and you can write the user stamnp string so it refers to the user and not the service account) 

     

    regards

     

     

     

  • Thanks Rich, yeah unfortunately i've already gone down the client side RecordAddIn route, because as i understand there's a lag between notes updated and user actually see the notes if i do it via server addin? plus is there more risk if something goes wrong on the server side? I guess if everything else fails i'll have to look into server add-in then.... 

     

    Thanks again

  • Verified Answer

    Hi Richard,

     

    In regards to using TRIM's impersonation, you also have another option in the .NET SDK, and that is Database.SpawnImpersonatedDatabase(userToImpersonate), but with any kind of impersonation you need to:

     

    Ensure the user doing the impersonating (we'll say "FRED") has the "Can Impersonate Another User" permission

    Ensure that the admin user (we'll call her "NOTESADDER") that will be impersonated has the "Can Be Impersonated" permission

     

    But the clincher that I think will cause you issues is that I believe* the account doing the impersonating needs more rights than the account being impersonated. i.e. FRED would need more rights that NOTESADDER - which means FRED would need the rights to add notes to tell NOTESADDER to add notes, which would defeat the whole process.

     

    *I recall that was the case when I was creating a webservice that would impersonate users - an admin service account impersonating users with less rights / security is what it was designed for. I could be completely wrong about this though.

     

    The other option is to use .Net's impersonation to do the impersonating (WindowsIdentity.Impersonate), however your main thread would have to do what it needed to do, save the record, and then impersonate this NOTESADDER windows user could fetch the record and make the changes.

     

    If EventProcessorAddins will be too slow, you could instead have a WCF Service that runs as a NOTESADDER service account that your RecordAddin could call to add stuff to the notes. More immediate than a EventProcessorAddin without the horrible Impersonation security and threading concerns to worry about?

  • Thanks Matt, it appears that in addition to what you said, if FRED has notes change permission and NOTESADDER doesn't have notes change permission, FRED can still change notes... so the whole impersonation is quite helpless to me. 

     

    After a bit of digging around, i found that deselect the Prevent Users without ‘Record Administration’ permission from overwriting existing Notes checkbox on the record type sort of fixed my dilemma, so i'll probably go down this route for the moment. But of course with the potential issue of user can now edit Action Notes, i hope this solution is good enough. at least putting off writing the server add-in for the time being :)  

     

    Thanks for all your tips really appreciate them 

  • Thanks Matt, it appears that in addition to what you said, if FRED has notes change permission and NOTESADDER doesn't have notes change permission, FRED can still change notes... so the whole impersonation is quite helpless to me. 

     

    After a bit of digging around, i found that deselect the Prevent Users without ‘Record Administration’ permission from overwriting existing Notes checkbox on the record type sort of fixed my dilemma, so i'll probably go down this route for the moment. But of course with the potential issue of user can now edit Action Notes, i hope this solution is good enough. at least putting off writing the server add-in for the time being :)  

     

    Thanks for all your tips really appreciate them 

  • Hi Matt,

    I am developping some Web application using Trim Web Services. I would like to do something similar what you have achieved - Using an admin account to connect to the Trim db, then use Impersonate to restrict users so that they can see only what they should. Can you please let me know how have you done it on both client code and on the server setting. I have tried to set the IIS server to enable Impersonate as authentiqued user and on the client side I used both functions setCurrentUserLogin and setUserToImpersonate without success - Every user use the Web service can see all documents in Trim, even though I have inactivated some test users. Is there anything to do with guest account?

    Thanks

    Viet

     

  • Hi Matt,

    I am developping some Web application using Trim Web Services. I would like to do something similar what you have achieved - Using an admin account to connect to the Trim db, then use Impersonate to restrict users so that they can see only what they should. Can you please let me know how have you done it on both client code and on the server setting. I have tried to set the IIS server to enable Impersonate as authentiqued user and on the client side I used both functions setCurrentUserLogin and setUserToImpersonate without success - Every user use the Web service can see all documents in Trim, even though I have inactivated some test users. Is there anything to do with guest account?

    Thanks

    Viet

     

  • Hi Matt,

    I am developping some Web application using Trim Web Services. I would like to do something similar what you have achieved - Using an admin account to connect to the Trim db, then use Impersonate to restrict users so that they can see only what they should. Can you please let me know how have you done it on both client code and on the server setting. I have tried to set the IIS server to enable Impersonate as authentiqued user and on the client side I used both functions setCurrentUserLogin and setUserToImpersonate without success - Every user use the Web service can see all documents in Trim, even though I have inactivated some test users. Is there anything to do with guest account?

    Thanks

    Viet

     

  • Hi Viet,

     

    Sorry for the delayed response - I'm not an expert with TRIM Web Services - my web services/apps all all custom and use the HP.HPTRIM.SDK.dll assembly, so I'd have to defer to someone experienced with the TRIM Web Services to answer any specifics.

     

    Setting a guest account will just mean that when your application can't authenticate with TRIM, it will use the specified guest login instead, so not the solution you're after.

     

    With HP TRIM 7, the TRIM Enterprise Studio (TES) has a Miscellaneous option under the General tab. Make sure the account doing the impersonating is added to the "Trusted server accounts..." bit at the bottom. (This replaces the "Can Impersonate" and "Can Be Impersonated" permissions that were present in TRIM 6).

     

    As always be sure to run TES as an Administrator and do a  "Save" and "Deploy" to make any changes take effect.

     

    Hopefully that's of some help,

     

    Matt

  • Thanks Matt.

     

    We tried to make the Web Service's Impersonation work, but no luck so far. We would like to try other options, including run SDK.

    When you buit your application, do you need to provide both username and password for impersonation. Our application need to impersonate user with username only, not password.

     

    Best Regards,

     

    Viet

     

  • Thanks Matt.

     

    We tried to make the Web Service's Impersonation work, but no luck so far. We would like to try other options, including run SDK.

    When you buit your application, do you need to provide both username and password for impersonation. Our application need to impersonate user with username only, not password.

     

    Best Regards,

     

    Viet

     

  • Thanks Matt.

     

    We tried to make the Web Service's Impersonation work, but no luck so far. We would like to try other options, including run SDK.

    When you buit your application, do you need to provide both username and password for impersonation. Our application need to impersonate user with username only, not password.

     

    Best Regards,

     

    Viet

     

Reply Children