When it comes to ASP.net programs, there are generally two types of permissions:
1. The authority of the account.
2) The permissions of the code.
The permissions of the account can restrict what all asp.net programs running under this account can do, and the permissions of the code are unique to the ASP.net program, which provides the ASP.net program access to what resources, such as databases, files, and so on. They have a common influence on the asp.net process, simply put, the ASP.net program shows the intersection of their common role.
In IIS 5, the default configuration account for application pool is ASPNET. Somewhat differently in IIS 6/7, the ASPNET account was replaced as network Service. In IIS 7, for example, if you are using the default network service, the resources your ASP.net program can access are limited by the network service, in other words, what resources can be accessed by this account, and your ASP.net program can access resources. Network Service By default, you can read and write all files under the IIS Wwwroot folder and access other folders under the control of the ACL.
Scenario 1: When we developed under Visual Studio, the account we ran for Visual Studio was the system account (the login machine account), which had more permissions than the network service, As a result, when you deploy the program to IIS in the case of errors, most of these can be considered first.
Scenario 2: When you connect to a database in Windows Integrated authentication, you sometimes encounter situations where the Network Service account cannot login, which is also due to the fact that you are logged into the database at development time with the system account, and after you deploy to IIS, you are using the network Service to connect to the database. It is therefore necessary to add the Network Service account to the database.
The permissions of the code are referred to in asp.net as Code Access Security (CAS). It sets out which resources the ASP.net program can access. Clearly, in some cases, account permissions do not easily limit what the ASP.net program can do. With CAs, we can limit the ASP.net program's ability to file operations and access to database resources. In a asp.net configuration file, it is divided into 5 different levels, which restrict the access resources of the program by setting different levels. If you need more information, we suggest that you can view this article:
Http://msdn.microsoft.com/en-us/library/ms998326.aspx
Scenario 3:asp. NET program is not able to create a file after it has been deployed to the paid space. This is because the server defines CAS at the machie level, restricting all asp.net running on this machine from being unable to do file operations. This is done primarily to protect the security of the server.
Also, we can use impersonate (which is usually used when Windows validates), as required by the program. It can mimic a specific user, so that thread runs on this particular account. This is a great way to limit the access of domain resources to different users.
Have a nice day!