Share via


ASP.NET Policy Mechanics

The application domain policy for trust levels consists of a policy level (for example, an instance of the System.Security.Policy..::.PolicyLevel class) that is loaded and applied to the application domain as the application domain policy. The policy tree itself is the same for High, Medium, Low, and Minimal trust levels (no policy is applied for Full), except for the set of granted permissions in the ASP.NET permission set.

After computing the application domain policy for a given application (full-trust applications are exempt from this step), the policy is applied to the application domain. Application domain policy intersects with the various other policy levels (Enterprise, Machine, and User) so that it can only further restrict, not expand, the existing policy.

To see how application domain policy is used to restrict granted permissions, consider the fictitious permission sets and policy levels shown in the following table.

Level

Name

Permissions

Enterprise

P1

{A, B, C, D}

Machine

P2

{A, B, C}

User

P3

{A, B, C}

Application Domain

P4

{A, B}

The simplified application permission (ignoring permission requests) of these policy sets would be the intersection of the permissions granted at the various levels. Thus, the intersection of P1, P2, P3, and P4 is {A, B}.

Managing Policy Files

You can edit policy files by hand. You can use the .NET Framework Configuration Tool or the Code Access Security Policy Tool to administer security policy for the enterprise, machine, or user levels. For more information about using these tools, see Administering Security Policy.

See Also

Other Resources

ASP.NET Web Application Security