NGWS SDK Documentation  

This is preliminary documentation and subject to change.
To comment on this topic, please send us email at ngwssdk@microsoft.com. Thanks!

When to use a custom permission

Custom permissions – like any permission – fundamentally define protection for a resource. Once defined, a custom permission can be used in exactly the same manner standard permissions are used.

When writing code that exposes a completely new kind of resource, there being no standard permission that covers this resource, a custom permission needs to be defined to allow access rights to be administered.

Custom permissions should not be used in an attempt to redefine an existing permission – wherever possible permissions should be non-overlapping. Having multiple permissions for the same resource presents an extremely confusing problem for administrators – to protect a single resource they need to deal with both permissions at the same time. (Otherwise, if they “close the door” with one permission, then code using the other way to access the resource that is protected by the other permission will still be able to access it.)

For example, managed code that exposed a new input device would need a new permission to define access to those devices.

Another example might be application-defined resources such as personnel records may best protect the resource with a specifically defined permission when the access modes and granularity do not correspond to the permission for the underlying system resource. Suppose in this example that one employee record is stored in a file, however read and write access needs to be controlled independently on different pieces of the data: since the file permission only specifies access on the entire file as a whole, a custom permission is needed to specify more fine-grained access. Alternatively, a custom permission that more directly corresponds to the programming model for a resource can make the code more understandable in addition to issues of the expressability of the permission.

To implement a custom permission, the developer must:

The following subsections detail these steps.