Export (0) Print
Expand All

How to: Grant Permissions to Folders and Assemblies

The following procedures grant full trust permissions to an assembly or folder in a Visual Studio Tools for Office solution. Normally, you grant permissions to a specific assembly. If you have several assemblies, and you are certain that the location is secure, you can grant full trust to the folder where the assemblies are located. If you grant trust to the folder, all the assemblies in that folder and its subfolders are also trusted.

There are three ways to grant permissions to folders and assemblies in Office solutions:

  • Using the Trust Assemblies Location property in Visual Studio. (Useful only during development.)

    The Trust Assemblies Location property only works during development; it has no effect on end users. For this reason, you cannot use this method for deployment. For more information, see Properties in Visual Studio Tools for Office Projects.

  • Using the Microsoft .NET Framework 2.0 Configuration tool.

    This tool provides a graphical user interface for working with security policy.

  • Using the Code Access Security Policy tool (Caspol.exe).

    This tool is a command-line interface for working with security policy.

NoteNote

These are the basic steps for setting your own security policy, for the purpose of developing and testing assemblies. Do not use these steps to grant trust to assemblies or directories if you are not certain that they are safe and secure. For more information about setting security policy, see Deploying Security Policy and Configuring Code Groups Using the .NET Framework Configuration Tool (Mscorcfg.msc).

Using the Trust Assemblies Location Property

When you create a project, full trust based on location is granted by default. If the Trust Assemblies Location has changed, you can reapply the default settings:

To grant full trust to project assemblies on your development computer

  1. In Visual Studio, select the project node in Solution Explorer.

  2. In the Properties window, select Trust Assemblies Location.

  3. Set the property to true.

  4. Click Build Solution on the Build menu.

Using the .NET Framework 2.0 Configuration Tool

The steps to follow differ if you are granting trust to:

  • An assembly or folder on your local computer, or

  • An assembly or folder on another computer on a network (or a mapped drive).

To grant full trust to an assembly or folder on your local computer

  1. In Control Panel, open Administrative Tools.

  2. Run Microsoft .NET Framework 2.0 Configuration.

    NoteNote

    There might be several similar tools with names that start with Microsoft .NET Framework. Make sure that the configuration tool you use matches your version of the runtime.

  3. In the treeview on the left side, expand .NET Framework 2.0 Configuration, expand My Computer, expand Runtime Security Policy, expand User, expand Code Groups, expand All_Code, and then expand VSTOProjects.

    NoteNote

    If you have not compiled a Visual Studio Tools for Office project before, you will not have the VSTOProjects folder. You can add the new code group to the All_Code root node, or you can compile a Visual Studio Tools for Office project to have the VSTOProjects folder created automatically.

  4. On the right is the VSTOProjects Code Group description, which has a Tasks section at the bottom of the page. In the Tasks section, click Add a Child Code Group.

    The Create Code Group wizard starts.

  5. Select Create a new code group, and enter a name and description that will help you identify the project. Click Next.

  6. In the Choose the condition type for this code group list, click URL.

  7. In the URL box, type the full path to the assembly, or the path to the bin folder of the project followed by an asterisk (for example, c:\<path>\ExcelApplication1.dll or c:\<path>\ExcelApplication1\bin\*).

  8. Click Next.

    NoteNote

    If you type the path to the bin folder, all assemblies in that folder and all its subfolders are granted full trust on your computer. Make sure that no unauthorized people have access to folders that are fully trusted, or someone could put a malicious assembly in the folder and the assembly would run with full trust.

    Caution noteCaution

    Do not grant permissions to an entire hard disk (such as C:\*) or to general folders such as My Documents, because you might grant permissions to cached assemblies from the Internet or from e-mail messages. Only grant permissions to specific project folders that contain assemblies you know are safe to execute.

  9. Select Use existing permission set, and then select FullTrust from the list.

  10. Click Next.

  11. Click Finish.

To grant full trust to an assembly or folder on a network computer or mapped drive

  1. In Control Panel, open Administrative Tools.

  2. Run Microsoft .NET Framework 2.0 Configuration.

    NoteNote

    There might be several similar tools with names that start with Microsoft .NET Framework. Make sure that the configuration tool you use matches your version of the runtime.

  3. In the treeview on the left side, expand .NET Framework 2.0 Configuration, expand My Computer, expand Runtime Security Policy, expand Machine, expand Code Groups, and then expand All_Code.

  4. Right-click LocalIntranet_Zone under All_Code, and then click New.

    This assumes that the server you are targeting is in the Local Intranet zone. If it has been added to the Trusted Sites zone in Internet Explorer, right-click Trusted_Zone instead. If the assembly is on a mapped drive, you must use LocalIntranet_Zone.

  5. Enter a name and description that will help you identify the project. Click Next.

  6. In the Choose the condition type for this code group list, click URL.

  7. In the URL box, type the full path to the assembly, or the path to the bin folder of the project followed by an asterisk (for example, \\ServerName\FolderName\ExcelApplication1.dll or http://ServerName/FolderName/ExcelApplication1/bin/*).

  8. Click Next.

    NoteNote

    If you type the path to the bin folder, all assemblies in that folder and all its subfolders will be granted full trust on your computer. If you are not sure that these folders are secure, such broad permissions can be a security risk.

  9. Select Use existing permission set, and then select FullTrust from the list.

  10. Click Next.

  11. Click Finish.

NoteNote

You must be an administrator to grant full trust to an assembly or folder on a network computer, and trust must be granted at the Machine level instead of the User level.

Using the Code Access Security Policy Tool (Caspol.exe)

You can also grant full trust to a folder from a command prompt by using the Code Access Security Policy tool (Caspol.exe). For more information about Caspol.exe, see Code Access Security Policy Tool (Caspol.exe).

You can grant trust to a folder on your local computer at the User level with normal user permissions. To grant trust to a network location, you must have administrator privileges and change the security policy at the Machine level. The Machine policy level acts independently of the User policy level, and the machine policy level does not grant full trust to the Intranet zone even if the User policy does. The policy levels must agree.

NoteTip

Type the commands manually. Copying and pasting the commands into the command prompt might result in Unknown Option errors.

To grant full trust to a local folder

  • Type the following command in the Visual Studio Command Prompt:

    caspol -u -ag All_Code -url 
    C:\<FolderName>\<FolderName>\* FullTrust -n "<Name>" -d
    "<Description>"
    

To grant full trust to a network folder

  • Type the following command in the Visual Studio Command Prompt:

    caspol -m -ag LocalIntranet_Zone -url 
    \\<ServerName>\<FolderName>\* FullTrust -n "<Name>" -d 
    "<Description>"
    

For more information, see How to: Add Code Groups Using Caspol.exe.

NoteNote

After policy is deployed, everyone that is affected by the policy change must quit and then restart all Office applications used in the solution before the policy changes are enforced. If Microsoft Office Word 2003 is part of the solution, users must also quit and restart Microsoft Office Outlook 2003. Also, if a user has opened a document or workbook in Internet Explorer, the process could still be running. Check Windows Task Manager to make sure there are no instances of the Office application. Other applications that host Office applications can also prevent the new permissions from being enforced. Users should quit all applications that use Office, hosted or stand-alone, when security policies are changed.

See Also

Community Additions

ADD
Show:
© 2014 Microsoft