This is preliminary documentation and subject to change.
To comment on this topic, please send us email at ngwssdk@microsoft.com. Thanks!
Define the permission object semantics
Once the resource protection semantics and the appropriate granularity of permission control are determined, the next step for the developer is to define the permission object itself.
There are a few typical kinds of permissions that are used depending on the resource being protected and granularity of protection. Most permissions will be one or these standard design patterns or a combination thereof, although other designs are possible when circumstances so indicate.
- Boolean permissions – this simplest kind of permission object holds one or more bits that correspond to “permission to do X”. This approach provides no degrees of permission between can and cannot. For example, the SecurityPermission contains several Boolean permissions such as UnmanagedCode (permission to call it).
- Levels of permissions – a slightly granular form beyond Boolean permissions, typically this represents the permission as numbers from zero (no permission at all for this) to some higher number meaning unrestricted permission, with a few levels in-between. For example, the UIPermission has a few levels of permission to use windows with a few safer gradations between none and full unrestricted permission. (Note that Boolean is just a 0/1 level permission.)
- Object list permissions – provides a very granular permission that specifies what is or is not allowed. The FilePermission is a classic example where it uses lists of files that certain kinds of access are allowed on. Permissions with lists are most useful for protecting resources that contain a large number of named objects.