NGWS SDK Documentation  

This is preliminary documentation and subject to change.
To comment on this topic, please send us email at ngwssdk@microsoft.com. Thanks!

Granting permissions

If policy determines to run code if will be granted a set of permissions based on trust as defined in the configuration. The granted permission set, G, is computed as follows:

G = RM + ( intersection of RO and PA ) – RR

In terms of the model, the granted permission set is the minimum request and some subset of the optional request as allowed by policy, less any permissions either policy or the code request refused.

Implementation note: instead of computing set subtraction for grant set G above, implementation may hold grant as two sets (RM + (RO PA)) and RR with permission check testing for inclusion in the former and checking that not included in the latter. This allows a grant to express a subtractive set (e.g. “C:\” except “C:\WINDOWS”) without having to express these complex sets in individual permissions.