Code Groups

A code group is a logical grouping of code that has a specified condition for membership. Any code that meets the membership condition is included in the group. Code groups have associated permission sets that are evaluated during a policy grant. Administrators configure security policy by managing code groups and their associated permission sets.

The following table shows the code group membership conditions provided by the .NET Framework. Membership conditions are implemented as classes.

Membership condition Condition based on
All code


Represents a membership condition that matches all code.
Application directory


The application's installation directory.
Cryptographic hash


An MD5, SHA1, or other cryptographic hash.
Software publisher


The public key of a valid Authenticode signature.
Site membership


The HTTP, HTTPS, and FTP site from which code originates.
Strong name


A cryptographically strong signature.


The URL where the code originates, including the final wildcard; for example, http://site/app/*.


The zone where the code originates.

The common language runtime uses identifying characteristics (evidence) that describe the code to determine whether a group's membership condition has been met. For example, if the membership condition of the group is "Code from the Web site", the runtime examines the evidence to determine whether the code originates from

Each code group is associated with a named permission set. Code groups can also have attributes that affect how the code group is used to define security policy.

Enterprise, machine, and user policy levels are represented by a hierarchy of code groups. The application domain level cannot be administratively configured , but it does have a hierarchy of code groups that can be programmatically set. The root of each hierarchy is the group containing all code. The all code group has child nodes, and those child nodes have child nodes, and so on. If code is a member of the parent code group, then the code might be a member of one or more of that group's child code groups. If code is not a member of the parent code group, it cannot be a member of any of the code groups that are descended from that parent.

Code groups have optional description and name attributes that you can view using the .NET Framework Configuration Tool.

See Also

Code Group Attributes | Evidence | Named Permission Sets | Security Policy Management