This documentation is archived and is not being maintained.

PrincipalPermission Class

Allows checks against the active principal (see IPrincipal) using the language constructs defined for both declarative and imperative security actions. This class cannot be inherited.


Namespace:  System.Security.Permissions
Assembly:  mscorlib (in mscorlib.dll)

public sealed class PrincipalPermission : IPermission, 
	IUnrestrictedPermission, ISecurityEncodable

The PrincipalPermission type exposes the following members.

Public methodPrincipalPermission(PermissionState)Initializes a new instance of the PrincipalPermission class with the specified permission state.
Public methodPrincipalPermission(String, String)Initializes a new instance of the PrincipalPermission class for the specified name and role.
Public methodPrincipalPermission(String, String, Boolean)Initializes a new instance of the PrincipalPermission class for the specified name, role, and authentication status.

Public methodCopyCreates and returns an identical copy of the current permission.
Public methodDemandDetermines at run time whether the current principal matches the principal specified by the current permission.
Public methodEqualsDetermines whether the specified PrincipalPermission object is equal to the current PrincipalPermission. (Overrides Object.Equals(Object).)
Protected methodFinalizeAllows an object to try to free resources and perform other cleanup operations before it is reclaimed by garbage collection. (Inherited from Object.)
Public methodFromXmlReconstructs a permission with a specified state from an XML encoding.
Public methodGetHashCodeGets a hash code for the PrincipalPermission object that is suitable for use in hashing algorithms and data structures such as a hash table. (Overrides Object.GetHashCode().)
Public methodGetTypeGets the Type of the current instance. (Inherited from Object.)
Public methodIntersectCreates and returns a permission that is the intersection of the current permission and the specified permission.
Public methodIsSubsetOfDetermines whether the current permission is a subset of the specified permission.
Public methodIsUnrestrictedReturns a value indicating whether the current permission is unrestricted.
Protected methodMemberwiseCloneCreates a shallow copy of the current Object. (Inherited from Object.)
Public methodToStringCreates and returns a string representing the current permission. (Overrides Object.ToString().)
Public methodToXmlCreates an XML encoding of the permission and its current state.
Public methodUnionCreates a permission that is the union of the current permission and the specified permission.

By passing identity information (user name and role) to the constructor, PrincipalPermission can be used to demand that the identity of the active principal match this information.

To match the active IPrincipal and associated IIdentity, both the specified identity and role must match. If a null identity string is used, it is interpreted as a request to match any identity. Use of a null role string will match any role. By implication, passing a null parameter for name or role to PrincipalPermission will match the identity and roles in any IPrincipal object. It is also possible to construct a PrincipalPermission that determines only whether the IIdentity represents an authenticated or unauthenticated entity. In this case, name and role are ignored.

Unlike most other permissions, PrincipalPermission does not extend CodeAccessPermission. However, it does implement the IPermission interface. This is because PrincipalPermission is not a code access permission; that is, it is not granted based on the identity of the executing assembly. Instead, it allows code to perform actions (Demand, Union, Intersect, and so on) against the current user identity in a manner consistent with the way those actions are performed for code access and code identity permissions.

Important noteImportant

Before you specify a demand for principal permission, you must set the current application domain's principal policy to the enumeration value WindowsPrincipal. By default, the principal policy is set to UnauthenticatedPrincipal. If you do not set the principal policy to WindowsPrincipal, a demand for principal permission will fail. You should execute the following code before you demand the principal permission:


The following example requires the active principal to be an administrator. The name parameter is null, which enables any user who is an administrator to pass the demand.


In Windows Vista and later versions of the Windows operating system, User Account Control (UAC) determines the privileges of a user. If you are a member of the Built-in Administrators group, you are assigned two run-time access tokens: a standard user access token and an administrator access token. By default, you are in the standard user role. To execute the code that requires you to be an administrator, you must first elevate your privileges from standard user to administrator. You can do this when you start an application by right-clicking the application icon and indicating that you want to run as an administrator.

using System;
using System.Threading;
using System.Security.Permissions;
using System.Security.Principal;

class SecurityPrincipalDemo

    public static void Main()
        PrincipalPermission principalPerm = new PrincipalPermission(null, "Administrators");
        Console.WriteLine("Demand succeeded.");

.NET Framework

Supported in: 4, 3.5, 3.0, 2.0, 1.1, 1.0

.NET Framework Client Profile

Supported in: 4, 3.5 SP1

Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows XP SP2 x64 Edition, Windows Server 2008 (Server Core not supported), Windows Server 2008 R2 (Server Core supported with SP1 or later), Windows Server 2003 SP2

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.