What impersonation level is required when implementing a service that needs to access out-of-process resources on behalf of the original caller?
According to MSDN
Impersonation: The server process can impersonate the client's security context on its local system. The server cannot impersonate the client on remote systems.
Delegation The server process can impersonate the client's security context on remote systems.
Am I correct in assuming that Impersonation is sufficient?
As long as you stay on the same machine: Yes impersonation is enough. In or out of process does not matter.