This documentation is archived and is not being maintained.

FileCodeGroup Class

Grants permission to manipulate files located in the code assemblies to code assemblies that match the membership condition. This class cannot be inherited.


Namespace:  System.Security.Policy
Assembly:  mscorlib (in mscorlib.dll)

public sealed class FileCodeGroup : CodeGroup

The FileCodeGroup type exposes the following members.

Public methodFileCodeGroupInitializes a new instance of the FileCodeGroup class.

Public propertyAttributeStringGets a string representation of the attributes of the policy statement for the code group. (Overrides CodeGroup.AttributeString.)
Public propertyChildrenGets or sets an ordered list of the child code groups of a code group. (Inherited from CodeGroup.)
Public propertyDescriptionGets or sets the description of the code group. (Inherited from CodeGroup.)
Public propertyMembershipConditionGets or sets the code group's membership condition. (Inherited from CodeGroup.)
Public propertyMergeLogicGets the merge logic. (Overrides CodeGroup.MergeLogic.)
Public propertyNameGets or sets the name of the code group. (Inherited from CodeGroup.)
Public propertyPermissionSetNameGets the name of the named permission set for the code group. (Overrides CodeGroup.PermissionSetName.)
Public propertyPolicyStatementGets or sets the policy statement associated with the code group. (Inherited from CodeGroup.)

Public methodAddChildAdds a child code group to the current code group. (Inherited from CodeGroup.)
Public methodCopyMakes a deep copy of the current code group. (Overrides CodeGroup.Copy().)
Protected methodCreateXmlWhen overridden in a derived class, serializes properties and internal state specific to a derived code group and adds the serialization to the specified SecurityElement. (Inherited from CodeGroup.)
Public methodEquals(Object)Determines whether the specified code group is equivalent to the current code group. (Overrides CodeGroup.Equals(Object).)
Public methodEquals(CodeGroup, Boolean)Determines whether the specified code group is equivalent to the current code group, checking the child code groups as well, if specified. (Inherited from CodeGroup.)
Protected methodFinalizeAllows an object to try to free resources and perform other cleanup operations before it is reclaimed by garbage collection. (Inherited from Object.)
Public methodFromXml(SecurityElement)Reconstructs a security object with a given state from an XML encoding. (Inherited from CodeGroup.)
Public methodFromXml(SecurityElement, PolicyLevel)Reconstructs a security object with a given state and policy level from an XML encoding. (Inherited from CodeGroup.)
Public methodGetHashCodeGets the hash code of the current code group. (Overrides CodeGroup.GetHashCode().)
Public methodGetTypeGets the Type of the current instance. (Inherited from Object.)
Protected methodMemberwiseCloneCreates a shallow copy of the current Object. (Inherited from Object.)
Protected methodParseXmlWhen overridden in a derived class, reconstructs properties and internal state specific to a derived code group from the specified SecurityElement. (Inherited from CodeGroup.)
Public methodRemoveChildRemoves the specified child code group. (Inherited from CodeGroup.)
Public methodResolveResolves policy for the code group and its descendants for a set of evidence. (Overrides CodeGroup.Resolve(Evidence).)
Public methodResolveMatchingCodeGroupsResolves matching code groups. (Overrides CodeGroup.ResolveMatchingCodeGroups(Evidence).)
Public methodToStringReturns a string that represents the current object. (Inherited from Object.)
Public methodToXml()Creates an XML encoding of the security object and its current state. (Inherited from CodeGroup.)
Public methodToXml(PolicyLevel)Creates an XML encoding of the security object, its current state, and the policy level within which the code exists. (Inherited from CodeGroup.)

Code groups are the building blocks of code access security policy. Each policy level consists of a root code group that can have child code groups. Each child code group can have their own child code groups; this behavior extends to any number of levels, forming a tree. Each code group has a membership condition that determines if a given assembly belongs to it based on the evidence for that assembly. Only code groups whose membership conditions match a given assembly and their child code groups apply policy.

FileCodeGroup has the same child matching semantics as UnionCodeGroup. However, FileCodeGroup returns a permission set containing a dynamically-calculated FileIOPermission that grants file access to the directory from which the code is run; UnionCodeGroup only returns a static permission set. The type of file access granted is passed as a parameter to the constructor.

This code group only matches assemblies run over a file protocol, that is, assemblies that have URLs that point to a file or UNC path.

The following example shows the use of members of the FileCodeGroup class.

using System;
using System.Security;
using System.Security.Policy;
using System.Security.Permissions;
using System.Reflection;

class Members
    static void Main(string[] args)
        FileCodeGroup fileCodeGroup = constructDefaultGroup();

        // Create a deep copy of the FileCodeGroup.
        FileCodeGroup copyCodeGroup = (FileCodeGroup)fileCodeGroup.Copy();

        CompareTwoCodeGroups(fileCodeGroup, copyCodeGroup);

        addPolicy(ref fileCodeGroup);
        addXmlMember(ref fileCodeGroup);
        updateMembershipCondition(ref fileCodeGroup);
        addChildCodeGroup(ref fileCodeGroup);

        Console.Write("Comparing the resolved code group ");
        Console.WriteLine("with the initial code group.");
        FileCodeGroup resolvedCodeGroup =
        if (CompareTwoCodeGroups(fileCodeGroup, resolvedCodeGroup))

        Console.WriteLine("This sample completed successfully; " +
            "press Enter to exit.");

    // Construct a new FileCodeGroup with Read, Write, Append 
    // and PathDiscovery access.
    private static FileCodeGroup constructDefaultGroup()
        // Construct a new file code group that has complete access to
        // files in the specified path.
        FileCodeGroup fileCodeGroup = 
            new FileCodeGroup(
            new AllMembershipCondition(),

        // Set the name of the file code group.
        fileCodeGroup.Name = "TempCodeGroup";

        // Set the description of the file code group.
        fileCodeGroup.Description = "Temp folder permissions group";

        // Retrieve the string representation of the  fileCodeGroup�s 
        // attributes. FileCodeGroup does not use AttributeString, so the
        // value should be null.
        if (fileCodeGroup.AttributeString != null)
            throw new NullReferenceException(
                "The AttributeString property should be null.");

        return fileCodeGroup;

    // Add file permission to restrict write access to all files on the
    // local machine.
    private static void addPolicy(ref FileCodeGroup fileCodeGroup)
        // Set the PolicyStatement property to a policy with read access to
        // the root directory of drive C.
        FileIOPermission rootFilePermissions = 
            new FileIOPermission(PermissionState.None);
        rootFilePermissions.AllLocalFiles = FileIOPermissionAccess.Read;

        NamedPermissionSet namedPermissions =
            new NamedPermissionSet("RootPermissions");

        fileCodeGroup.PolicyStatement =
            new PolicyStatement(namedPermissions);

    // Set the membership condition of the specified FileCodeGroup 
    // to the Intranet zone.
    private static void updateMembershipCondition(
        ref FileCodeGroup fileCodeGroup)
        ZoneMembershipCondition zoneCondition =
            new ZoneMembershipCondition(SecurityZone.Intranet);
        fileCodeGroup.MembershipCondition = zoneCondition;

    // Add a child group with read-access file permission to the specified 
    // code group.
    private static void addChildCodeGroup(ref FileCodeGroup fileCodeGroup)
        // Create a file code group with read-access permission.
        FileCodeGroup tempFolderCodeGroup = new FileCodeGroup(
            new AllMembershipCondition(), 

        // Set the name of the child code group and add it to 
        // the specified code group.
        tempFolderCodeGroup.Name = "Read-only group";

    // Compare the two specified file code groups for equality.
    private static bool CompareTwoCodeGroups(
        FileCodeGroup firstCodeGroup, FileCodeGroup secondCodeGroup)
        if (firstCodeGroup.Equals(secondCodeGroup))
            Console.WriteLine("The two code groups are equal.");
            return true;
            Console.WriteLine("The two code groups are not equal.");
            return false;

    // Retrieve the resolved policy based on Evidence from the executing 
    // assembly found in the specified code group.
    private static string ResolveEvidence(CodeGroup fileCodeGroup)
        string policyString = "";

        // Resolve the policy based on evidence in the executing assembly.
        Assembly assembly = Assembly.GetExecutingAssembly();
        Evidence executingEvidence = assembly.Evidence;

        PolicyStatement policy = fileCodeGroup.Resolve(executingEvidence);

        if (policy != null)
            policyString = policy.ToString();

        return policyString;

    // Retrieve the resolved code group based on the Evidence from 
    // the executing assembly found in the specified code group.
    private static FileCodeGroup ResolveGroupToEvidence(
        FileCodeGroup fileCodeGroup)
        // Resolve matching code groups to the executing assembly.
        Assembly assembly = Assembly.GetExecutingAssembly();
        Evidence evidence = assembly.Evidence;
        CodeGroup codeGroup = 

        return (FileCodeGroup)codeGroup;

    // If a domain attribute is not found in the specified FileCodeGroup,
    // add a child XML element identifying a custom membership condition.
    private static void addXmlMember(ref FileCodeGroup fileCodeGroup)
        SecurityElement xmlElement = fileCodeGroup.ToXml();

        SecurityElement rootElement = new SecurityElement("CodeGroup");

        if (xmlElement.Attribute("domain") == null) 
            SecurityElement newElement = 
                new SecurityElement("CustomMembershipCondition");



        Console.WriteLine("Added a custom membership condition:");

    // Print the properties of the specified code group to the console.
    private static void PrintCodeGroup(CodeGroup codeGroup)
        // Compare the type of the specified object with the FileCodeGroup
        // type.
        if (!codeGroup.GetType().Equals(typeof(FileCodeGroup)))
            throw new ArgumentException("Expected the FileCodeGroup type.");

        string codeGroupName = codeGroup.Name;
        string membershipCondition = codeGroup.MembershipCondition.ToString();
        string permissionSetName = codeGroup.PermissionSetName;

        int hashCode = codeGroup.GetHashCode();

        string mergeLogic = "";
        if (codeGroup.MergeLogic.Equals("Union"))
            mergeLogic = " with Union merge logic";

        // Retrieve the class path for FileCodeGroup.
        string fileGroupClass = codeGroup.ToString();

        // Write summary to the console window.
        Console.WriteLine("\n*** " + fileGroupClass + " summary ***");
        Console.Write("A FileCodeGroup named ");
        Console.Write(codeGroupName + mergeLogic);
        Console.Write(" has been created with hash code" + hashCode + ".");
        Console.Write("This code group contains a " + membershipCondition);
        Console.Write(" membership condition with the ");
        Console.Write(permissionSetName + " permission set. ");

        Console.Write("The code group has the following security policy: ");

        int childCount = codeGroup.Children.Count;
        if (childCount > 0 )
            Console.Write("There are " + childCount);
            Console.WriteLine(" child code groups in this code group.");

            // Iterate through the child code groups to display their names
            // and remove them from the specified code group.
            for (int i=0; i < childCount; i++)
                // Get child code group as type FileCodeGroup.
                FileCodeGroup childCodeGroup = 

                Console.Write("Removing the " + childCodeGroup.Name + ".");
                // Remove child code group.

            Console.Write("There are no child code groups");
            Console.WriteLine(" in this code group.");
// This sample produces the following output:
// The two code groups are equal.
// Added a custom membership condition:
// <CodeGroup>
// <CustomMembershipCondition class="CustomMembershipCondition"
//                                version="1"
//                                domain=""/>
//                                </CodeGroup>
// Comparing the resolved code group with the initial code group.
// The two code groups are not equal.
// *** System.Security.Policy.FileCodeGroup summary ***
// A FileCodeGroup named  with Union merge logic has been created with hash
// code 113151473. This code group contains a Zone - Intranet membership
// condition with the Same directory FileIO - NoAccess permission set. The
// code group has the following security policy:
// There are 1 child code groups in this code group.
// Removing the Read-only group.
// This sample completed successfully; press Enter to exit.

.NET Framework

Supported in: 4, 3.5, 3.0, 2.0, 1.1, 1.0

.NET Framework Client Profile

Supported in: 4, 3.5 SP1

Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows XP SP2 x64 Edition, Windows Server 2008 (Server Core not supported), Windows Server 2008 R2 (Server Core supported with SP1 or later), Windows Server 2003 SP2

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.