Scenarios in which Run With Elevated Privilege is must

Question

I just wanted to know in what are the Scenarios RWEP must be given for our code to work. Because, in situations like creating a site column my code works with and with-out RWEP option.

So, In what are all the scenarios run with elevated privilege is a must.

Answer 1

Gokul,

It really depends on what code you are writing and who are the target users.

If the intended end users would not have enough permissions to access the objects on/with which you are writing code you will usually wrap the code with RWEP. Then the code will run under the permissions of app pool identity.

Usually app pool identity will have great permissions to run most of the code which will do for us.

for ex: You are writing code for a webpart to retrieve some content from a custom list. It is fine until you place the webparrt on an intranet page. What if you are putting the webpart on an anonymous page where the anonymous users does not have any permissions on your custom lists. In this situation you will WRAP your code with RWEP then connect to your list and pull the content. Then it will take the identity of the App Pool and then execute the code so you will have no issues.

Let me know if you have any questions

Answer 2

From my experience In most cases use SPUserToken (it is safer, ie more secure option), you need to use RWEP only (at least to my knowledge) if you need to have access to file system (ie. saving info to log file would be a good example).

Answer 3

Essentially if you need to impersonate a user for them to do something they normally don't have access to do. You shouldn't really have to do this as there are ways to work within the Sharepoint environment to handle this.

Some situations that I've seen this being used: aggregation for web part data. Some people will use RWEP to aggregate data across the farm. This is not necesssary as search can do that for you. It also opens up "security holes' in that it is pulling back everything because the app pool accounts can see it all.

Features. Not necessary, since you need full control access to enable features, thus giving the current user all the permissions he needs to execute the code you have created.

Item creation. Some people feel that users shouldn't have access to an underlying list to be able to create items, so they use RWEP to insert or modify list data. The Sharepoint security model is robust enough to create Add only permissons or add and edit permissions and even doing things like item level permissioning.

In my opinion, RWEP is a crutch to get around the security model of the system and shouldn't be used.

Answer 4

Use elevated code when current user don't have permission to a particular SharePoint object.

Elevating code will use App Pool Identity Context.

For example if user don't have permission to Create List items, and you have a custom form through which you want to make the insert. In that case you can elevate the code to insert the item.