Exam 70-553 - Control code privileges by using System.Security.Policy classes

Section 1

  • Part 4
    • Topic 5


Control code privileges by using System.Security.Policy classes. (Refer System.Security.Policy namespace)

  • ApplicationSecurityInfo class and ApplicationSecurityManager class
  • ApplicationTrust class and ApplicationTrustCollection class
  • Evidence class and PermissionRequestEvidence class
  • CodeGroup class, FileCodeGroup class, FirstMatchCodeGroup class, NetCodeGroup class, and UnionCodeGroup class
  • Condition classes
  • PolicyLevel class and PolicyStatement class
  • IApplicationTrustManager interface, IMembershipCondition interface, and IIdentityPermissionFactory interface


Manifests are included by applications deployed through Click Once. These Click Once Xml manifests enumerate the permissions that the application requires. This information should make the other topics make a bit more sense.

The ApplicationSecurityInfo Class is new to .Net 2.0. It holds the security evidence for policy evaluation.

The ApplicationSecurityManager Class is also new to .Net 2.0. It manages trust decisions for manifest activated applications. It exposes the ApplicationTrustManager, and a Collection of Cached Trust decisions for the user.

The ApplicationTrust encapsulates security decisions about an application. The ApplicationTrustCollection is a collection of ApplicationTrust Objects.

The Evidence Class defines the set of information that constitutes input to security policy decisions

The PermissionRequestEvidence Class defines evidence that represents permission requests.

The CodeGroup class is the base class from which other code groups inherit. Code groups are the building blocks of code access security policy. Each policy level consists of a root code group that can have child code groups. Each child code group can have their own child code groups; this behavior extends to any number of levels, forming a tree. Each code group has a membership condition that determines if a given assembly belongs to it based on the evidence for that assembly.

The descriptions of each of the CodeGroup types has been taken directly from msdn2.

The UnionCodeGroup is the most common type of code group; the policy statement of all matching child code groups (and by extension their child code groups) are combined with the permission set of the matching parent code group. Thus, if its membership condition matches, this code group forms the union of its policy statement and those of all its child code groups that also match the evidence.

The FileCodeGroup has the same child matching semantics as UnionCodeGroup. However, FileCodeGroup returns a permission set containing a dynamically-calculated FileIOPermission that grants file access to the directory from which the code is run; UnionCodeGroup only returns a static permission set. The type of file access granted is passed as a parameter to the constructor.

Like any code group, FirstMatchCodeGroup only applies when its membership condition matches evidence for an assembly. If there is a match, it tests the membership condition of each child in order, stopping when the first match occurs. The result of FirstMatchCodeGroup is the union of the policy statement of the root code group and the policy statement of the first child group of that code group that matches

The NetCodeGroup has the same merge semantics as that of UnionCodeGroup; it forms the union of the PolicyStatement objects of all matching child code groups and the PolicyStatement it generates from the input Url evidence. However, NetCodeGroup returns a permission containing a dynamically calculated WebPermission that grants connect access to the site from which the code is run; UnionCodeGroup simply returns a static permission set.

A policy level consists of a set of code groups organized into a single rooted tree (see CodeGroup), a set of named permission sets that are referenced by the code groups to specify permissions to be granted to code belonging to the code group, and a list of fully-trusted assemblies.

The PolicyStatement Class represents the statement of a CodeGroup describing the permissions and other information that apply to code with a particular set of evidence.

IApplicationTrustManager Interface is used to define the interface that determines whether an application should be executed and which set of permissions should be granted to the application.

The IIdentityPermissionFactory Interface is used to define the interface that defines methods that creates a new identity permission.

The IMembershipCondition Interface is used to define the interface that test to determine whether a code assembly is a member of a code group.

Other Resources & Links:

Find Out What's New with Code Access Security in the .NET Framework 2.0

New Security Features in .Net 2.0

System.Security.Policy Namespace

ApplicationSecurityManager Class

ApplicationTrust Class

ApplicationTrustCollection Class

Evidence Class

PermissionReqiestEvidence Class


Exam 70-553 - Access and modify identity information by using the System.Security.Principal classes.

Exam - 70-553 - Control permissions for resources by using the System.Security.Permission classes.