Sharepoint Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint       RSS Feeds

RevertToSelf and the Sharepoint Object Model

  Asked By: Jamison    Date: Aug 24    Category: Sharepoint    Views: 5574

I just wanted to share with you some of the results of some experimentation
I have been doing with using the application pool identity to access the
Sharepoint object model.

As you may know, much of the Object Model is only accessible by Sharepoint
administrators, and the application pool identity.

This obviously causes problems when you need to access this from a web part
which will be run by your non-admin users.

Additionally, there is a problem with Sharepoint, in that doing a simple
RevertToSelf call (or impersonating IntPtr.Zero, which internally calls
RevertToSelf) still does not give you that access.

There are a couple of widely used work-arounds to this; neither of which are
particularly satisfactory from either performance, or ease of coding points
of view.

These are:
1. Marshal your object model calls into a separate AppDomain, which is
fairly advanced for many people, and produces fragile code which does not
perform particularly well.

2. Call a Web Service interface to the object model, which is better in
terms of code readability, but means an unnecessary http call.

I am presenting a third work-around here, which is rather less

Having done some experimentation, it would appear that simply
re-impersonating the app pool account after using RevertToSelf will allow
you access to the Sharepoint object model.

This is still not satisfactory, mainly due to the fact that it is
non-obvious as to why it works, and it seems to be redundant code, but it is
still easier to use, and I believe should be more performant than the above
methods (I haven't done any performance checking, but the ease-of-use is
enough of a sell for me).
Note you will need to run this under (at least) WSS_Medium privilege
(although the Object Model also requires this level of privilege.

Here's how I do it:

First, wrap all the impersonation code into its own class:

using System.Security.Principal;

public class Impersonator : IDisposable
private WindowsImpersonationContext ctx = null;
private WindowsImpersonationContext ctx1 = null;

public void ImpersonateAppPoolUser()

// Call the .net wrapper for RevertToSelf
ctx = WindowsIdentity.Impersonate(IntPtr.Zero);

// and call impersonate on the app pool user object (now the current
ctx1 = WindowsIdentity.GetCurrent().Impersonate();

public void UndoImpersonation()
if(ctx != null)
ctx = null;

if(ctx1 != null)
ctx1 = null;


public void Dispose()

Then, when you need to use the object model, just use this object:

using(Impersonator imp = new Impersonator() )

// object model access goes in here



5 Answers Found

Answer #1    Answered By: Rigoberto Beard     Answered On: Aug 24

Are you saying that the RevertToSelf(IntPtr.Zero) followed by the
GetCurrent Impersonation allows access  to _all_ OM functionality. What
about running the code  found in these articles:

Answer #2    Answered By: Alphonso Mckay     Answered On: Aug 24

Actually you may be right; I had only been using this to access  lists which
were denied to normal users. Doing a quick test, gettign information about
roles sems to fail.

I'll have another look at doing this next week, when I get a chance to spend
a little time on it.

Answer #3    Answered By: Daron Oneill     Answered On: Aug 24

I'm not sure if this is mentioned in the article but
at the expense of being redundant, GetContextWeb
method call  and others like it only return the site
for the user  who initiated the request. The object
model is prepared ahead of time not at the moment the
method is called.
So, and I'm sure someone here mentioned something
similar, you have to use a new instance of the SPWeb
or SPSite class  only AFTER the desired user account
has been impersonated.
BTW... beware of SharePoint code access  security!!!

Answer #4    Answered By: M Juarez     Answered On: Aug 24

I have tried RevertToSlef with following code:

using(Impersonator imp = new Impersonator() )


SPWeb web2 = SPControl.GetContextWeb(Context);
SPList theList = web2.Lists[new Guid("{68685386-4A1E-4C41-917F-


Unfortunately the "Access is denied" is raised, although the
Application Pool account  has fool privileges as local Admin.

Answer #5    Answered By: Marty Mcdowell     Answered On: Aug 24

I found that using GetContextWeb does not work; as in the other scenarios
you will need to obtain the correct identity, and then get the web  from a
means other than GetContextWeb - e.g.

SPVirtualServer server = new SPGlobalAdmin().OpenVirtualServer(serverUri);
site = server.Sites[0];
web = site.AllWebs[webId];
list = web.Lists[listId];

having saved out all the relevent IDs beforehand.

Didn't find what you were looking for? Find more on RevertToSelf and the Sharepoint Object Model Or get search suggestion and latest updates.