Security Policy controls which managed code is allowed to replace the active Principal object associated with a given thread. To replace the Principal object requires the Assembly be granted the System.Security.Permissions.SecurityPermission(ControlPrincipal) permission.
Of course, such code may also need additional permissions such as FileIO read access to access an authentication database of known entities. In addition, one would generally grant such code the Assert permission since one wouldn’t want to grant all code in the call chain permission to change the active Principal object.
Security policy does not control the rights to perform identity or role checks. There will always be a Principal object present and any application code may check its identity/role information. This treatment is similar to that for Code Identity permissions.