Share via


Enterprise Policy Administration

The enterprise policy level contains policy for every computer and user on the network and can be administered by domain or machine administrators. See the section on Deploying Security Policy for information on deployment strategies.

Because the runtime evaluates enterprise policy first, you can apply the LevelFinal attribute to a code group on this level to exclude the lower levels from making policy changes. Without the LevelFinal attribute, lower policy levels can remove permissions from the final grant set, potentially causing application instability. However, even if you do not apply the LevelFinal attribute, lower levels are not able to increase the final grant set because all policy levels are intersected during policy resolution.

You might consider administering policy on this level when every person in your enterprise uses an application and you want to make sure that it always receives sufficient permission to run.

See Also

Other Resources

Security Policy Best Practices