Security Policy Levels 

Four security policy levels are provided by the .NET Framework to compute the permission grant of an assembly or application domain. Each level contains its own hierarchy of code groups and permission sets. The runtime intersects the permission sets granted to an assembly from each level when computing the allowed permission set. The resulting grant is the sum of permissions allowed by all participating levels in a policy grant.

The following table describes the four security policy levels provided by .NET Framework security.

Policy type Specified by Applies to

Enterprise policy


All managed code in an enterprise setting where an enterprise configuration file is distributed.

Machine policy


All managed code on the computer.

User policy

Administrator or user

Code in all the processes associated with the current operating system user when the common language runtime starts.

Application domain policy

Application domain host code

Managed code in the host's application domain.

The policy levels are a hierarchy, with enterprise policy on top, machine policy below that, user policy below that, and application domain policy on the bottom. The runtime starts at the top of the hierarchy and works its way down when computing permission grants. Lower policy levels cannot increase permissions granted at a higher levels; however, lower policy levels can decrease permissions. By default, user and application domain policies are less restrictive than machine and enterprise policy. The majority of the default policy exists on the machine level. For more information about default security settings, see Default Security Policy.

When granting permissions to assemblies, the runtime considers the requirements of all existing policies (enterprise, machine, user, and application domain), together with the assembly's requested permissions.

When granting permissions to application domains, the runtime uses the enterprise, machine, and user policies.

See Also