Code group (3) attributes

Code group (3) attributes

Code groups can have attributes that affect how the common language runtime determines the permission set permitted by the Assembly. There are two types of attributes that can be applied to a code group: Exclusive and LevelFinal.

Exclusive attribute. The permission set permitted at the policy level is the permission set associated with the code group with this attribute. When considering all policy levels, the runtime database grants no more permissions to the code than the permissions associated with the Exclusive code group. At the given policy level, the code can only be a member of a code group with the Exclusive attribute. This attribute prevents other code groups at the same policy level from being considered when the runtime calculates the authorization of an assembly in an exclusive code group. However, the policy levels below and below the current level are still calculated. This attribute allows a specific code group to make a unique decision for the current policy level regarding the permission granted to the Assembly that matches the group. This is useful when you need to grant a specific permission set to a specific assembly and do not allow the permission for other code group matches at the same policy level.

Note:If an assembly belongs to multiple exclusive code groups, execution of the Assembly is not allowed.

When checking the code group members and granting permissions, The LevelFinal attribute does not consider any other policy levels beyond the policy level of the code group and beyond the application domain level. Enterprise-level policies are the highest level of policies, followed by computer policies, user policies, and then application domain policies. For example, if the LevelFinal attribute is applied to a code group in an enterprise-level policy and a code matches the membership condition of the code group, the computer-level policy and user-level policy will not apply to the code. The application of the LevelFinal attribute ensures that the Assembly associated with the code group with this attribute will never receive fewer permissions because of the decision made by the lower policy level administrator.

You can use the. NET Framework Configuration tool or the code access security policy tool to enable or disable the Exclusive (or LevelFinal) attribute for the code group. To enable the code group Exclusive attribute, follow these steps:

Caspol-chggroup 1.2.1.-exclusive on

Use the chggroup command to change the code group labeled 1.2.1 and set the Exclusive attribute to the on state.

--------------------- Note: Part of this article is changed from. NET Security secrets.