Base solution for your next web application
Open Closed

How to use ImpersonatorUserId and ImpersonatorTenantId #540


User avatar
0
mhdbaz created

Could any one please explain how to use ImpersonatorTenantId and ImpersonatorUserId ?

I did not find any documentation about where to set these values and how to use them


8 Answer(s)
  • User Avatar
    0
    hikalkan created
    Support Team

    This is added to make "admin to login as a user". If you implement it in your application, you can than login as selected user and perform operations as the user. This is added to standardize the session properties used to implement this. But this is not implemented in the framework.

    How to set? To understand it we should understand how it get? See this code: <a class="postlink" href="https://github.com/aspnetboilerplate/aspnetboilerplate/blob/master/src/Abp/Runtime/Session/ClaimsAbpSession.cs#L85">https://github.com/aspnetboilerplate/as ... ion.cs#L85</a> It gets from Thread.CurrentPrincipal. So, you can add these info into claims on login (or on impersonation action).

    identity.AddClaim(new Claim(AbpClaimTypes.ImpersonatorUserId, YOUR_INT64_VALUE_HERE));
    
  • User Avatar
    0
    hikalkan created
    Support Team

    a sample GIST: <a class="postlink" href="https://gist.github.com/hikalkan/8862d9f7ae8b4874976d">https://gist.github.com/hikalkan/8862d9f7ae8b4874976d</a>

  • User Avatar
    0
    meff created

    Hello. First of all - thank you for your great work. ABP is awesome.

    On already working ABP (AngularJS + EF) application I need to implement functionality where admin user of one tenant can act as any user of another tenant.

    In order to replace IAbpSession.TenantId I have derived ClaimsAbpSession, registered it in module:

    public class MyAbpSession : ClaimsAbpSession
    {
      public MyAbpSession(IMultiTenancyConfig multiTenancy) : base(multiTenancy) {}
      private int? _tenantId;
      public int? SetCurrentTenantId
            {
                set { this._tenantId = value; }
            }
            public override int? TenantId
            {
                get
                {
                    var claimsPrincipal = Thread.CurrentPrincipal as ClaimsPrincipal;
                    if (claimsPrincipal == null)
                        return null;
                    return this._tenantId ?? base.TenantId;
                }
            }  
    }
    

    But I still have MayHaveTenant filter problem. Is there any chance I could globally set filter parameter for all UnitsOfWork?

    _unitOfWorkManager.AllUnitsOfWork.SetFilterParameter(AbpDataFilters.MayHaveTenant, AbpDataFilters.Parameters.TenantId, input.TenantId.Value);
    

    And this has to be done from Impersonation method (any ApplicationService or AccountController in .Web), not from module initialization.

    I can not disable AbpDataFilters.MayHaveTenant / AbpDataFilters.MustHaveTenant globally, because impersonator must see only data of Tenant, that she is impersonating.

    What I have tried:

    1. To derive from EfUnitOfWork and override ApplyFilterParameterValue, but I could not inject MyEfUnitOfWork :-(
    2. Wanted to derive from class UnitOfWorkManager, but it is Internal, so no luck.

    What would be the best solution to achieve my business requirement?

    I am even thinking of creating identical AbpUsers (and synchronizing for password change and so on) for each tenant, that a user must have access to... Is ASP.NETZERO has fully implemented impersonation (on features it says "User and Tenant impersonation")?

    Could you please provide some advise to this problem? Thank you in advance.

  • User Avatar
    0
    meff created

    Hello, so I will ask my question shortly: is there any easy way to achieve a functionality, that user from one tenant could act on behalf of another tenant?

    Thank you.

  • User Avatar
    0
    hikalkan created
    Support Team

    Hi,

    It depends on what you exactly want.

    Most easy way: While logged in for User A of Tenant X, you can call an action on AccountController. It logouts and logins for User B of Tenant Y and continue to use application. That's fairly easy. In addition, you can set Impersonator claims, so audit logging also saves it, and then you can understand this operations are impersonated by User A.

  • User Avatar
    0
    meff created

    Thank you for your answer.

    Background of a problem: companyM (lest call it tenantM) signed an business agreement, that users of companyM will work on behalf of companyS1, companyS2 and companyS3 (tenantS1, tenantS2, tenantS3 respectively), while still using they'r own logins into system.

    My purpose is to let userM1 of tenantM to work as userM1 of tenanS1, and tenantS2 and so on.

    If I follow your suggestion - I shall create DUMMY userS1, userS2, userS3 for every user of tenantM1, is that correct?

  • User Avatar
    0
    hikalkan created
    Support Team

    Hi,

    Yes, User is per tenant for the current implementation and can not be shared by different tenants. Because of automatic tenant filtering, you can not work with other tenant's users unless you explicitly disable MayHaveTenant filter.

  • User Avatar
    0
    ESTeam created

    It is possible to save the value of the ImpersonatorUserId in the logs, when I am impersonating another user?