The function of security policy is to grant permissions to code based on evidence. The policy model consists of declarations of code groups with sets of permissions associated to be granted to any code that is a member of the group. Code group membership is determined by evidence about the code such as digital signature, the origin of the code, and so forth. Administrators add code groups to the default policy to further control the permissions granted to code belonging to the respective groups.
The security policy model is structured as a policy hierarchy – with machine and user levels – each level of which consists of a code group hierarchy as described in detail in the following sections.