Impersonation and Delegation are key to HMC's ability to service, or more specifically multi-tenant, enable a business application. The need for for both an Impersonation and Delegation Model generally arises from the fact that enterprise applications are not designed to natively support multi-tenancy, though there are other factors that lead to this requirement as well. First we should start by defining these two terms.
Impersonation:The provisioning system's ability to perform actions under the security context of an identity other than that of the Service Account under which the process is running. It includes the ability to switch security context based on the Service Logic or Workflow definition. Implimented as workflow controlled, thread level, security context switching (that is, ImpersonateLoggedOnUser and RevertToSelf).
An HMC workflow can switch between 3 impersation states in order to perform necessary provisioning actions:
For more details regarding the HMC Delegation model see Logic Flow of Security Processing.
Delegation: In the case of HMC we are referring to Delegation of administration, or the ability to grant specific users or sets of users rights to perform administrative type actions within the context of their parent container. For example the ability to grant Tenenat or Business Administrators the right to create Exchange Mailboxes for users in their Organization and sub Organizations.
Note : do not to be confused with Kerberos Delegation which is related to authentication/authorization.
For more details regarding the HMC Delegation model see .
The easiest way to describe how these are used in HMC is to walkthrough one of our more complex and most common workflows, Hosted Email 2007::CreateMailbox. In this workflow, we end up excercising all three impersonation states described above.