Riva CRM Integration - Documentation and Knowledge Base
Knowledgebase
...
toggle

Limited Delegate Access in Riva

Article ID: 1781
Last updated: 03 May, 2024

Impersonation Models in Exchange

When using a service account to impersonate target mailboxes connected to Riva, there are two possible Exchange Impersonation methods:

  • ApplicationImpersonation: a management role that enables applications to impersonate users to perform actions on their behalf using EWS.
  • Delegate Access: allows the configuration of the permissions for each individual folder, for example only Calendar.

Scenario

The ability to support both impersonation methods (access methods to a mailbox) is extremely valuable, because some organizations do not allow ApplicationImpersonation or restrict the level of access that applications can have to their users' mailboxes. In these situations, Full Access cannot be set, because the permissions scope has been narrowed to the specific folders that the Riva sync requires access to.

Issue

By default, when an Exchange admin sets the mailbox permission to Delegate Access, Riva verifies the access level when connecting to EWS, and if Full Access is not configured, Riva autoswitches to ApplicationImpersonation.

The problem with that autoswitch is that because the mailbox was configured with Delegate Access, the sync will always fail.

The following errors messages would be displayed in the logs:
2018-04-20 14:18:19,90 Insufficient delegate rights detected - attempting impersonation...
2018-04-20 14:18:19,91 Connecting to EWS via impersonation
2018-04-20 14:18:19,92 Service response error: [ErrorImpersonateUserDenied] The account does not have permission to impersonate the requested user.

Solution

It is possible to configure Riva to sync successfully with Delegate Access.

Implementation for Riva Cloud

Implementation for Riva On-Premise

If limited delegate access is necessary for deployment due to privacy or security policy restrictions, the delegate permission should normally be configured in Exchange to provide access to the desired folder(s): Inbox, Calendar, Contacts, and/or Tasks.

To configure Riva On-Premise to work with limited Delegate Access:

  1. In the Riva Manager application, on the menu bar, select Setup.

  2. In the right pane, double-click the Exchange connection to edit it.

  3. On the side bar, select Connection Details. In the right pane, under Additional Details, ensure that the Impersonation Method is set to Delegate Full Access.

  4. On the side bar, select Test.

  5. In the right pane, test the configured access: enter a user email address, and select Run Test >>.

    The results should show success only for the folder(s) that access was granted for. In this example, Delegate Access was set for only the Calendar module.

  6. Save the connection.

  7. Apply the following advanced option to the sync policy:

    Sync.Ex.RetryOnDelegationErrorEnabled.Enabled = False

  8. Restart the Riva Service Monitor for the applied advanced option to take effect.

    Result of applying the advanced option: the Riva sync is prevented from switching to impersonation upon a Full Access verification error.

    Result of following the entire procedure: the Riva sync works with limited Delegate Access.

Article ID: 1781
Last updated: 03 May, 2024
Revision: 3
Views: 20
Prev
Next
« Hard or Soft Delete Items in Riva-Created Folders for...
Manage Custom Categories on the Exchange Color Categories List »

rss