NGWS SDK Documentation  

This is preliminary documentation and subject to change.
To comment on this topic, please send us email at ngwssdk@microsoft.com. Thanks!

Code Groups

A code group is a logical grouping of code in which a specified condition must be met for code to be a member of the group. Any code that meets the membership condition is included in the group. Each code group is also associated with a named permission set, and code groups can have attributes, which affect how the code group is used to define policy. Administrators configure security policy by managing code groups.

The runtime uses evidence that describes the code to determine whether a group's membership condition has been met. For example, if the membership condition of the code group is "Code that is from the www.microsoft.com web site", the runtime examines the evidence to determine whether the code does, in fact, originate from www.microsoft.com. The runtime decides which permissions can be granted to code by determining which code groups the code belongs to and then adding together the permission sets associated with the groups of which code is a member.

Each type of policy (machine, user, and application domain) is represented by a hierarchy of code groups. The root of each hierarchy is the group containing all code. The "all code" group has child nodes, and those child nodes have children, and so on. If code is a member of the parent code group then the code might be a member of one or more of that group's child code groups. If code is not a member of the parent code group, it cannot be a member of any of the code groups that are descended from that parent.

Code groups can be defined to have the following kinds of membership conditions: