When you register a plug-in, you can specify an impersonatinguserid value. In this situation, any calls to the IPluginExecutionContext interface’s CreateCrmService or CreateMetadataService methods with a value of true for the useCurrentUser argument result in a service that is impersonating the user specified at registration. Passing false for the useCurrentUser argument results in a service that is executing as the "system" user. In addition, the IPluginExecutionContext interface’s UserId property contains the user ID specified during registration.

A plug-in’s second option for impersonation is to specify a user ID when calling the IPluginExecutionContext interface’s CreateCrmService method. This allows the plug-in to determine on the fly which user to impersonate, possibly pulling a value from a registry setting or configuration file.

Best Practices

You may be wondering which method of impersonation you should use. Unless you know that you need to impersonate another user, you should simply pass in true to the useCurrentUser argument and create service instances that will behave as determined by the plug-in registration. Most often, plug-ins will be registered without an impersonatinguserid specified and you will run as the user that initiated the event. If at a later point it is determined that you need a plug-in to run with impersonation, you can change the plug-in step without needing to recompile the plug-in assembly. Avoid passing in false for useCurrentUser unless you need to because this value means that calls into the CrmService effectively run as an administrator, possibly elevating the privilege of the user who caused the plug-in to execute.