Security Policy

SharePoint 2007

Grants Code Access Security (CAS) rights to certain server-side code components running under a specific Web application context.

Real World Example

A new Web Part that will be installed in the BIN directory requires higher levels of access than the standard security policy allows, so a special policy entry is created that grants the required rights specifically to the Web Part assembly.

Technical Details

Two default security policies are included with Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007: WSS_mediumtrust.xml and WSS_minimaltrust.xml. Upon installation, WSS_Minimal is the default policy. SharePoint Products and Technologies define additional permission classes beyond those available in ASP.NET 2.0.

The following is an example of entries in a security policy file.

            <PolicyLevel version="1">
                  <SecurityClass Name="AllMembershipCondition" Description="System.Security.Policy.AllMembershipCondition, mscorlib, 
                  Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                  <SecurityClass Name="AspNetHostingPermission" 
                  System, Version=, Culture=neutral, 
                  <PermissionSet class="NamedPermissionSet" version="1" 
                  Unrestricted="true" Name="FullTrust" Description="Allows full access to all resources" />
                  <PermissionSet class="NamedPermissionSet" version="1" 
                  Name="Nothing" Description="Denies all resources, including the right to execute" /></NamedPermissionSets>
               <CodeGroup class="FirstMatchCodeGroup" version="1" 
                  <IMembershipCondition class="AllMembershipCondition" version="1" /></CodeGroup>

The default policy files for Office SharePoint Server 2007 and Windows SharePoint Services 3.0 are stored in the following path:

%COMMONPROGRAMFILES%\Microsoft Shared\web server extensions\12\CONFIG

You can deploy security policy entries as part of solutions, which is the recommended way of deploying security policy changes with a customization.

Support Details

If a customization is included with a custom security policy file, it must be copied to every server that references the policy (for example, front-end Web servers or Web application servers). If a particular component, such as a Web Part, requires a custom security policy, only the entries for a security policy file that apply to that component are required. Therefore, the individual custom security settings that apply to the specific component should be copied into a single custom security policy file. If you use solutions to add these security entries into the policy file, make a copy of the default policy file before deploying the solutions, and name this file to indicate that it is a custom version of the original file. Then set this custom copy as the policy file used by the Web application, so that after any solutions are deployed that make policy file entry changes, these can be made to the custom policy file.

It is not supportable or recommended to replace the current security policy with the one supplied with the Web Part, because this affects more than just the security setting for that single Web Part. This can present an issue immediately or be delayed until another Web Part requires deployment. A more supportable process is to deploy the Web Part as part of a solution that adds the appropriate safe control and security policy entries.