Impersonation

Impersonation is the ability of a thread to execute in a security context that is different from the context of the process that owns the thread. When running in the client's security context, the server "is" the client, to some degree. The server thread uses an access token representing the client's credentials to obtain access to the objects to which the client has access.

The primary reason for impersonation is to cause access checks to be performed against the client's identity. Using the client's identity for access checks can cause access to be either restricted or expanded, depending on what the client has permission to do. For example, suppose you have a file server with reviews and each review file has an ACL. If you impersonate the client before accessing the files, you can prevent the client from accessing data that he does not have permission to access.

For more information on impersonation, see Access Tokens for Impersonation and Auto-Impersonation.