Code group (3) property

Code groups can have properties that affect how the common language runtime determines the permissions set allowed by an assembly. There are two types of properties that can be applied to a code group: exclusive and LevelFinal.

Exclusive property, the permission set allowed by the policy level is the permission set associated with the code group that has this attribute. When all policy levels are considered, the runtime does not grant code more permissions than is associated with the exclusive code group. Within a given policy level, code can only be a member of a code group that has a exclusive attribute. This property prevents other code groups in the same policy level from being considered when the runtime evaluates the permissions of an assembly in an exclusive code group. However, the policy levels below and below the current level are still evaluated. This property allows a specific code group to make a unique decision about what permissions are granted to the Assembly that matches the group for the current policy level. This is useful when you need to grant a specific set of permissions to a particular assembly and not allow permissions from other code group matches at the same policy level.

Note: If an assembly belongs to more than one code group that is marked exclusive, the assembly is not allowed to execute.

LevelFinal property, any policy level other than the application domain level below the policy level that contains this code group is not considered when checking code group members and granting permissions. Enterprise policy is the highest level of policy, followed by computer Policy, user policy, and then application domain policy. For example, if the LevelFinal attribute is applied to a code group in enterprise policy, and a code matches the membership condition of this code group, then the machine-level policy and user-level policy are not applied to the code. Applying the LevelFinal property guarantees that the assembly associated with the code group marked with the attribute will never receive fewer permissions because of decisions made by the lower policy level administrator.

You can use the. NET Framework Configuration tool or the Code Access Security Policy tool to turn the exclusive (or LevelFinal) property on or off for a code group. The following methods are used to open the code group exclusive property:

Caspol-chggroup 1.2.1. -exclusive on

Where the code group labeled 1.2.1 is changed using the Chggroup command, the exclusive property is set to open.

---------------------Note: Part of this article changed from the ". NET Security Secrets"

Author: Hyun-Soul

Source: http://www.cnblogs.com/xuanhun/

See more highlights of this column: http://www.bianceng.cnhttp://www.bianceng.cn/Programming/net/