This documentation is archived and is not being maintained.

Administration with Code Group Attributes

Important noteImportant

In the .NET Framework version 4, the common language runtime (CLR) is moving away from providing security policy for computers. Microsoft is recommending the use of Windows Software Restriction Policies as a replacement for CLR security policy. The information in this topic applies to the .NET Framework version 3.5 and earlier; it does not apply to version 4.0 and later. For more information about this and other changes, see Security Changes in the .NET Framework 4.

Suppose you are an enterprise administrator who is responsible for administering security policy for a number of workstations. In the typical enterprise domain, the network administrator has administrative privileges on every server and every client. However, it is not uncommon for individual users to have administrative privileges on a single workstation. As a result, the network administrator has administrative privileges on the enterprise policy level and the workstation administrator has administrative privileges on the machine policy level. In this situation, the network administrator seems to have more control over policy because enterprise policy is evaluated first and machine policy is not allowed to loosen security decisions made by the enterprise level administrator. However, the machine level administrator can still tighten security, potentially breaking trusted applications that would otherwise have been allowed to run. For this reason, higher policy levels can choose to exclude lower-level policy decisions from being evaluated.

You can do this by applying the LevelFinal or Exclusive attribute to a code group by using one of the security policy tools.

When applied to a code group, the LevelFinal attribute excludes any policy level from being evaluated below the current level. For example, if you apply the LevelFinal attribute to the local intranet code group at the enterprise level, any code group at the machine level will not be evaluated even if a machine level administrator has made changes. Applying the LevelFinal attribute guarantees that an assembly associated with a code group marked with this attribute will never receive fewer permissions because of decisions made by a lower policy level administrator. For information on setting the LevelFinal attribute on a default or custom code group, see the .NET Framework Configuration tool (Mscorcfg.msc) or the Code Access Security Policy tool (Caspol.exe).

When applied to a code group, the Exclusive attribute prevents other code groups in the same policy level from being considered when the runtime computes permissions for assemblies that are in the exclusive code group. Policy levels above and below the current level are still evaluated, though. This attribute allows one specific code group to make the sole decision for the current policy level regarding what permissions are granted to assemblies that match that group. This is useful when you want to grant a specific set of permissions to specific assemblies, without allowing permissions from other code group matches on the same policy level.

Note that an assembly is not allowed to execute if it belongs to more than one code group marked as exclusive. Therefore, use the Exclusive attribute sparingly when administering custom security policy. For information on setting the Exclusive attribute on a built in or custom code group, see the .NET Framework Configuration tool (Mscorcfg.msc) or the Code Access Security Policy tool (Caspol.exe).