NGWS SDK Documentation  

This is preliminary documentation and subject to change.
To comment on this topic, please send us email at ngwssdk@microsoft.com. Thanks!

Viewing Policy

In order to view the policy (code group hierarchy and list of known permission sets) for a policy level the –list option is used.

Caspol –list

This will show the code group hierarchy and known named permission sets at the default policy level (for administrators that is the machine policy level, for others that is the user policy level

It is possible to explicitly defer an option to either the machine or user policy level. For this simply prefix an option with –machine or –user. This can be used to list the policy of either the machine or user level, as can be seen below:

Caspol –machine –list
Caspol –user –list

If the policy of both machine and user level should be listed, instead of –machine or –user, one can simply use –all, as shown below:

Caspol –all –list

This will list both the machine and the user policy.

Generally the output format for the –list option is:

Microsoft (R) COM+ Caspol [Version] - the policy manipulation tool
Copyright (c) Microsoft Corp 1999-1999. All rights reserved.

Security is [ON|OFF]
Execution Checking is [ON|OFF]
Policy Change Prompt is [ON|OFF]

Level = [Machine|User]

Code Groups:

1. [(FirstMatchCodeGroup)] MemberShipConditionName [– Value] : PermSetName 
[(FirstMAtchCodeGroup)] MemberShipCondName [– Value] : PermSetName 
……
…..

Named Permission Sets:

1. Permission Set:Pset_name,(Description)
<Pset Xml>

2. Permission Set:Pset name,(Description)
<Pset Xml>

As can be seen code groups are labeled by a reference number. This number is used in CASPol options to refer back to specific code groups. Both the membership condition name as well (if present) as a membership condition value are listed, followed by the name of the permission set associated with that code group. If the code group merges the permissions of its child code groups using the First Match logic this is indicated by (FirstMatchCodeGroup). The default merge logic is unioning the permissions granted by child code groups (for more information on this please refer to the Policy Specification)

Following the code group hierarchy is a list of the named permissions known at that policy level.