Policy grants permissions to code on a per-assembly basis, and for each assembly the policy mechanism determines the subset of code groups in the configuration that it belongs to: CG1, CG2, CG3, … as detailed in the section Security Policy Hierarchy.