This documentation is archived and is not being maintained.

Computing the Allowed Permission Set

Important noteImportant

In the .NET Framework version 4, the common language runtime (CLR) is moving away from providing security policy for computers. Microsoft is recommending the use of Windows Software Restriction Policies as a replacement for CLR security policy. The information in this topic applies to the .NET Framework version 3.5 and earlier; it does not apply to version 4.0 and later. For more information about this and other changes, see Security Changes in the .NET Framework 4.

The common language runtime computes the allowed permission set for application domains and assemblies by traversing the code group hierarchies for the relevant policy levels. For application domains, the relevant policy levels are enterprise, machine, and user. For assemblies, the relevant policy levels are enterprise, machine, user, and application domain.

The runtime uses the following process to compute the allowed permission set:

  1. For each relevant policy level, the runtime uses identity information provided by evidence to determine which groups the code belongs to. If the code is a member of a group, that group is said to be a match.

    The search for a match begins at the top of the code group hierarchy in the all code group. The runtime searches the levels in the hierarchy, including child groups if a match is found in some parent group.

  2. When all matches in the hierarchy have been identified, the permissions associated with each matching code group are combined in an additive manner (a union), resulting in the set of permissions allowed by that policy level.

    The runtime computes the allowed permission set differently if the Exclusive or LevelFinal attribute is applied to the code group. For details, see Code Group Attributes.

  3. The runtime then repeats the hierarchy search and intersects the permission sets for each policy level to compute the allowed permission set for the application domain or assembly. The resulting permission set contains only the permissions allowed for all policy levels.

The following illustration shows a code group hierarchy where Microsoft Money is a member of four code groups: All code, Microsoft (the Publisher), Local Internet (the Zone), and Microsoft Money (the Name). The allowed permission set for a given policy level (machine, user, or application domain) is the additive combination (the union) of the named permission sets associated with each of these code groups.

Code group hierarchy

Code group hierarchy