This documentation is archived and is not being maintained.

Requiring Full Trust for Types Within an AllowPartiallyTrustedCallersAttribute Assembly

When the AllowPartiallyTrustedCallersAttribute (APTCA) is placed on an assembly, the implicit LinkDemand requiring all callers to be fully trusted is disabled. In some situations, you might want certain members or classes in an assembly to be callable by partially trusted code, but want other members or classes in the same assembly be protected from partially trusted code. The following steps allow you to provide access to certain members or classes from partially trusted code, while still denying access to other members and classes from partially trusted code:

  1. Sign your code with a strong name.

  2. Apply the AllowPartiallyTrustedCallersAttribute attribute to your assembly so that partially trusted callers can use it.

  3. Apply a demand for full trust to the specific member or class within the assembly from step 2 that you want protected from partially trusted callers.


In the .NET Framework version 4, applying the SecurityCriticalAttribute attribute to a type or member in an APTCA assembly has the same effect as applying a link demand for full trust on a type or member. For more information, see Security-Transparent Code, Level 2.

The following are demands that can be placed on your code in order to limit access by partially trusted code:

  • To cause a LinkDemand for full trust, apply the following to a class or member.

    <PermissionSetAttribute(SecurityAction.LinkDemand, Name:="FullTrust")>
  • To cause a link demand requiring that callers have the ability to call unmanaged code, apply the following to a class or member.

    <SecurityPermissionAttribute(SecurityAction.LinkDemand, UnmanagedCode:=True)>
  • To cause an inheritance demand for full trust, apply the following to a class or member.

    <PermissionSet(SecurityAction.InheritanceDemand, Name:="FullTrust")>