Security Policy, Code Groups and Security Tools.
From: Mark Broadbent (no-spam-please_at_no-spam-please.com)
Date: 05/20/04
- Next message: Phil Wilson: "Re: ERROR: COULD NOT FIND INSTALLABLE ISAM"
- Previous message: Chris Mullins: "Re: Loosing reference to Thread"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 20 May 2004 18:45:00 +0100
Could someone who has active experience of assigning Security Policys please
clarify my follow comments...
Having gone through the MSDN documentation on this subject, my condensed
version of the way the security code permissions works is thus :-
1. An Assembly will be mapped to one or more Code Groups based upon the
membership conditions specified within each code group.
2. When an assembly belongs to multiple code groups, permissions assigned by
one code group can be overridden (increased) by permissions assigned by
another code group when they are both part of the same Policy level.
3. Code groups from a lower policy level cannot override (increase)
permissions set by an upper level (apart from when the permission hasnt yet
been set) *but* can reduce them.
4. The user policy level code groups cannot grant additional permissions to
an assembly *but* can only reduce them further.
5. When the Exclusive attribute is used on a code group, the code group will
become the only one within that policy level to apply permissions, although
the further policy levels code groups will be evaluated. When an application
belongs to more than one Exclusive code group it will not be run.
6. When the Level Final attribute is used on a code group, no other policy
levels code groups are evaluated *although* the current policy levels code
groups will.
7. When Level Final and Exclusive are used together then the codegroup on
that level will be the only one that will apply to the application through
all policy levels.
Couple of points.
a. Firstly is there any reason that the code groups are / can be nested,
from what I can see the answer is no -although I am assuming that it allows
for a more specific targetting of conditions.
b. Since the default Enterprise code group is All_Code -Full Trust and
changing it could effectly cause problems with the framework, I assume this
is left alone. Because this code group would override any additional code
groups within this policy, I am assuming that all Enterprise level code
groups should be marked as Exclusive.
c. Does Caspol utility expose any additional functionality than mscorcfg
utility (apart from the ability to do scripted config)?
Thanks in advance
-- Br, Mark Broadbent mcdba , mcse+i =============
- Next message: Phil Wilson: "Re: ERROR: COULD NOT FIND INSTALLABLE ISAM"
- Previous message: Chris Mullins: "Re: Loosing reference to Thread"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
