Thread: Impersonating user...

Hi,

My current project requires that if a user does not have enough permission
to run certain code, the user can ask someone with higher permission to give
him/her more permission.

I am able to impersonate a user by calling LogonUser function in the
advapi32.dll to retrieve a Token. I then use the Token retrieved to create a
new WindowsIdentity. With the newly created WindowsIdentity, I called the
Impersonate method.

By doing so, the current WindowsIdentity is switch to this new user.

Now I'm facing a problem. The new WindowsIdentity is not able to access the
files in the original user's Document and Settings folder (As the user
account that is impersonated is not an administrator).

When I tried to create a new WebService, I can an exception thrown with the
following message,

"An unhandled exception of type 'System.UnauthorizedAccessException'
occurred in mscorlib.dll
Additional information: Access to the path
"C:\DOCUME~1\POHTZE~1\LOCALS~1\Temp\galwm2zm.0.cs" is denied."

So, my question now is, is there any way to join the existing WindowIdentity
with the new one? I tried calling LogonUser with the
LogonType=LOGON32_LOGON_NEW_CREDENTIALS but it doesn't seems to solve the
problem.

Thanks.

So, how can one solve this problem?

All I wanted to do is to use the Role-Based Security feature to protect the code from running depending on the user's UserGroup. This is also true to the ability to access the tables, stored procedure in SQL Server 2000.

If the user does not have the right to access some feature, a logon screen will appear asking for a user with higher privilege to login.

Thanks.