NGWS SDK Documentation  

This is preliminary documentation and subject to change.
To comment on this topic, please send us email at ngwssdk@microsoft.com. Thanks!

Computing the Allowed Permission Set

The runtime attempts to discover what permissions policy allows code to have by traversing the code group hierarchies for the relevant policy levels. For application domains, the relevant policies are machine and user policy; for assemblies, the machine, user, and application domain policies are used. The runtime discovers which code groups the code is a member of, based on the identity information provided by the evidence. If the code is a member of a code group, that group is said to be a "match." The permission sets associated with the matching code groups determine which permissions security policy allows the code to have.

The search for a "match" in the code group hierarchy begins at the top of the hierarchy in the "all code" group. The levels in the code group hierarchy are searched, looking for matches in child groups as long as a match is found in some parent group. For code groups without attributes the process works like this: if a parent code group is a match, all of the matching group's children are examined to see if any of the child groups match, and so on. When all matches in the hierarchy have been identified, the permissions associated with each matching code group are unioned (combined in an additive manner), resulting in the set of permissions allowed by that level of policy.

Note: if exactly one matching code group in the policy level has the Exclusive attribute, only the permissions of the exclusive code group apply. In this case, the allowed permissions set for the policy level is simply the set of permissions belonging to the exclusive code group.

Once the allowed permission sets for each policy level have been determined, The code hierarchy search is repeated for each relevant policy level, and the allowed permission sets for each policy level are intersected. The resulting allowed permission set contains only the permissions that the allowed permission sets for all policy levels have in common.

If a code group has the LevelFirst attribute, the allowed permission set is computed differently: no policy levels below the one containing the exclusive code group are considered when checking for matches and granting permissions. For example, if a code group in the hierarchy for the machine policy has the LevelFirst attribute and some code matches the membership condition of this code group, neither the user level policy nor the application domain policy would be applied to that code.