For application domains, the granted permission set is simply the allowed permission set. For assemblies, the other factors described in this topic are considered at assembly load time when determining the grant set.
An assembly can contain declarative security requests that tell the runtime what permissions the code needs or would like to have. A code request can consist of the following three permission sets:
If all three permission requests are absent, the assembly is simply granted the permission set that policy allows. However, if at least one of the three permission requests is present, the requested permissions are considered when computing the granted permissions. First, the runtime checks to see if the set of required permissions is a subset of the allowed permission set. If this test fails, the code is not allowed to run and a PolicyException is thrown with a message naming the assembly that was not allowed to execute. Then, if the code is allowed to run, the runtime computes a set of permissions to grant the assembly, based on the allowed permission set and the requested permissions.
The granted permission set is computed as follows: The assembly's minimum permission request is added to the intersection of the assembly's optional request and the allowed permission set, and the refused set is subtracted from the result. In practical terms, this means that the permission set granted to an assembly is the assembly's required permission request and whatever subset of the optional request is allowed by policy, less any permissions that either policy or the permission request refused.