How to: Add Code Groups Using Caspol.exe
Sample Group Addition Commands
When you use the Code Access Security Policy tool (Caspol.exe) to add a code group to a code group hierarchy, you must define both a membership condition and a permission set for the new code group. You must also define the label or name of the parent code group in which you are adding the new code group. Optionally, you can also set other flags on the code group. For more information about these flags, see Code Access Security Policy Tool (Caspol.exe).
To add a code group to a code group hierarchy
Type the following command at the command prompt:
caspol [-enterprise|-machine|-user] -addgroup {parentLabel|parentName} mship pset_name [-exclusive {on|off}][-levelfinal {on|off}] [-name name] [-description description text]
Specify the policy-level option before the –addgroup option. If you omit the policy-level option, Caspol.exe adds the code group to the default policy level. For computer administrators, the default level is the machine policy level; for others, it is the user policy level. In this command:
The parentLabel argument is the label of the parent code group for the new code group. Alternatively, you can use the parent's code group name (parentName) instead of the parentLabel. To obtain this information, list the code groups as described in How to: View Code Groups Using Caspol.exe.
The pset_name argument is the name of the permission set to associate with the new code group. Before a named permission set can be associated with a code group, it must be known at the policy level where you are adding the new code group. For example, if you want to associate a MyPset permission set with a new code group in the user policy, you must have already added the MyPset permission set to the user policy. The only time a permission set does not need to be added beforehand is when you use one of the standard permission sets provided by the .NET Framework. To learn how to add a permission set to a policy level, see How to: Add Permission Sets Using Caspol.exe.
The mship argument is the membership condition for the new code group. For the list of values for the mship argument, see Code Access Security Policy Tool (Caspol.exe).
Note
You cannot use the –addgroup option to add a code group to more than one level at a time. Each such addition must be made separately because different code group labels and the availability of certain permission sets can cause confusion.
Sample Group Addition Commands
The following procedures describe how to perform some of the most common code group addition tasks.
To add a code group that targets code from the intranet
Use the -zone option, and specify Intranet as the membership value.
The following command associates the Everything permission set with code from the intranet. The code group is also given the name Intranet_CG. You can use this name to refer to the newly created code group, rather than using its numeric labels.
caspol –addgroup 1.1. –zone Intranet Everything –name "Intranet_CG"
To add a code group that targets code from the Internet Explorer Trusted sites
Use the –zone option, and specify Trusted as the membership value.
The following command associates the LocalIntranet permission set with code from the trusted zone and inserts the new code group as a child of the root of the code group hierarchy.
caspol -addgroup All_Code -zone Trusted LocalIntranet
To add a code group that targets a specific software publisher
Use the –pub option, and specify a certificate file, a signed file, or the hexadecimal representation of an X.509 certificate.
Files from a software publisher must be signed appropriately for this membership condition to work. The membership condition can be constructed on the basis of either an actual certificate file or a signed .exe file.
Suppose the certificate file for FourthCoffee (FourthCoffee.cer) is available. The following command adds a code group in the machine policy for code published by FourthCoffee and associates the Nothing permission set with the new group. The code group is added as a child code group of the root.
caspol –machine –addgroup 1 –pub –cert FourthCoffee.cer Nothing
To add a code group that targets code from a particular Web site
Use the –site option, and specify the URL of the Web site.
Note
Due to the possibility of DNS name spoofing, using a Web site as a membership condition is not an effective way to ascertain the identity of code. Where possible, use a strong name membership condition, publisher membership condition, or the hash membership condition.
The following command associates the Intranet permission set with code from www.microsoft.com.
caspol –addgroup 1 –site www.microsoft.com Intranet
To add a code group that targets code from a particular URL
Use the –url option, and specify the URL of the site.
The URL must include a protocol, such as http://, http://, or ftp://. Additionally, a wildcard character (*) can be used to specify multiple assemblies from a particular URL.
Note
Because a URL can be identified using multiple names, using a URL as a membership condition is not a safe way to ascertain the identity of code. Where possible, use a strong name membership condition, a publisher membership condition, or the hash membership condition.
caspol –user –addgroup 1 –url https://www.contoso.com/bin/* FullTrust caspol –user –addgroup 1 –url https://www.contoso.com/bin/MyAssembly.dll FullTrust
To add a code group that overrides other permissions at a policy level
Set the –exclusive flag for the new code group.
The following command adds a code group under the Intranet_cg code group. The new code group grants the Everything permission set if the zone is trusted, overriding any other permissions that other code groups might grant.
caspol –addgroup "Intranet_cg" –zone Trusted Everything –exclusive on
To add a code group with a custom membership condition
Use the –custom option, and specify an XML file that contains the XML serialization of the custom membership condition.
Caspol.exe supports the use of custom membership conditions in policy, which makes the policy system highly extensible.
The following command adds a new code group to the root of the user policy. This new code group contains a custom membership condition found in the NewMembershipCondition.xml file and grants full trust to assemblies matching this membership condition.
caspol –user –addgroup All_Code –custom NewMembershipCondition.xml FullTrust
To add a code group with a name and description
Use the –name option, and specify a name for the code group. Double quotes (" ") are required around names that contain spaces.
Use the –description option, and specify a description for the code group.
You can use the name later to refer to a code group. The name provides better support than numeric labels for scripting policy changes.
Default policy is shipped with default names. If not explicitly changed by an administrator, the default names make it easy for administrators using Caspol.exe to access specific code groups across policies and computers.
The following command adds a code group under the All_Code group in the machine policy. The new code group checks for a FourthCoffee strong name (as found on Signed.exe) and grants FullTrust to all code that is so signed. The code group is named FouthCoffeeStrongName and is given an appropriate description.
caspol –machine –addgroup All_Code –strong –file signed.exe FullTrust –name FouthCoffeeStrongName –description "Code group granting trust to code signed by FourthCoffee"
Note
If the same name is present in more than one code group, Caspol.exe resolves to the first code group it can find with the given name. It searches all the child code groups of a code group before searching sibling groups.
See Also
Reference
Caspol.exe (Code Access Security Policy Tool)
Concepts
Other Resources
Configuring Security Policy Using the Code Access Security Policy Tool (Caspol.exe)