|Important||This document may not represent best practices for current development, links to downloads and other resources may no longer be valid. Current recommended version can be found here.|
How to: Add Assemblies to Security Policy Using Caspol.exe
An assembly that implements a custom permission, or implements any other custom security object that is not included in the .NET Framework, must be added to the fully trusted assembly list. You can do this using the Code Access Security Policy tool (Caspol.exe). There is a separate list for each policy level. The fully trusted assembly list grants its members full trust for the related policy level. This is necessary to keep the runtime from performing circular policy resolutions.
To add an assembly that implements a custom security object to the fully trusted assembly list
Before you add an assembly to security policy, you must give it a strong name and put it in the global assembly cache. For more information about working with assemblies and the global assembly cache, see Creating and Using Strong-Named Assemblies.
Type the following command at the command prompt:
caspol [-enterprise|-machine|-user] –addfulltrust AssemblyFile
Specify the policy-level option before the –addfulltrust option. If you omit the policy-level option, Caspol.exe lists the permission sets at the default policy level. For computer administrators, the default level is the machine policy level; for others, it is the user policy level.
The following command adds MyCustomPermissionSet.exe to the user policy level's fully trusted assembly list.
caspol –user –addfulltrust MyCustomPermissionSet.exe
If the assembly you add depends on another assembly (that is, uses types implemented in another assembly), you must also add that assembly to the list.
Adding an assembly to a fully trusted assembly list does not guarantee that it will be granted full trust by the policy system as a whole, but only that it will be granted full trust at the policy level where it is listed. For example, if you add the MyCustomPermission.exe assembly to the user policy level's fully trusted assembly list, but MyCustomPermission.exe receives only execution rights from machine policy, MyCustomPermission.exe would eventually be granted only execution rights. It is therefore important to remember that putting an assembly into the fully trusted assembly list only helps avoid creating circular policy resolutions for the policy level where it is listed. It does not guarantee that the assembly implementing the custom permission actually receives a full trust grant.