Impersonating user from MiniRedirector - which Se*- Privileges must be enabled?

I have a MiniRedirector filesystem driver, with a kernel module and a multithreaded userspace daemon doing the real work. Which privileges listed in must be enabled so each thread can impersonate the user which initiated a filesystem required (open, read, write etc)?