The common language runtime allows code to perform only those operations that the code has permission to perform. The runtime uses objects called permissions to implement its mechanism for enforcing restrictions on managed code. The primary uses of permissions are as follows:
- Code can request the permissions it either needs or could use. The .NET Framework security system determines whether such requests are honored. Requests are honored only if the code's evidence merits granting those permissions. Code never receives more permission than the current security settings allow based upon a request. However, code will be granted less permission based upon a request.
- The runtime can grant permissions to code based on characteristics of the code's identity, on the permissions that are requested, and on how much the code is trusted (as determined by security policy set by an administrator). For more information about how the runtime decides which permissions to grant, see Security Policy and Permission Grants.
- Code can demand that its callers have specific permissions. If you place a demand for a certain permission on your code, all code that uses your code must have that permission to run.
There are three kinds of permissions, each with a specific purpose:
- Code access permissions, which represent access to a protected resource or the ability to perform a protected operation.
- Identity permissions, which indicate that code has credentials that support a particular kind of identity.
- Role-based security permissions, which provide a mechanism for discovering whether a user (or the agent acting on the user's behalf) has a particular identity or is a member of a specified role. PrincipalPermission is the only role-based security permission.
The runtime provides built-in permission classes in several namespaces and also supplies support for designing and implementing custom permission classes.