CASPol is a command line tool that is used to administer code access security (CAS). Security policy changes should always be made using this tool. This insures that the security configuration files will not be inadvertently corrupted. CASPol also includes several features that allow administrators to catch, reverse and analyze unintended policy changes.
In the following sections I will show how most standard security administration tasks are completed using CASPol.
To facilitate references to code groups in a hierarchy, the policy list (-list command, see below) will show indented objects with labels (1, 1.1, 1.1.1, etc.) for reference purposes. Subsequent command line operations targeting code groups use these labels to refer to specific code groups.
Named permission sets are referenced by their name. When a policy is listed the list of code groups followed by a list of named permission sets available in that policy will be shown.
CASPol users can also switch between the user and machine policies (using the –machine and –user options, see below).
If a user without machine administrative rights calls CASPol, by default all CASPol options refer to the user level policy, unless the CASPol user explicitly refers to the machine policy level (see ”Viewing Policy”).
If an administrator calls CASPol, by default all CASPol options refer to the machine’s policy, unless the administrator explicitly specifies the user policy level as target (See below).