Udostępnij za pośrednictwem


How to: Analyze Problems with Assembly Permissions Using Caspol.exe

You can use the Code Access Security Policy tool (Caspol.exe) to troubleshoot problems that might cause an assembly to not run or to access protected resources or run when it should not.

To analyze problems with an assembly that does not run

  1. Use the –all and the –resolveperm options to determine the permissions that policy grants to the assembly:

    caspol –all –resolveperm assembly-file

    Determine whether the assembly has the right to execute by checking whether the execution flag is set in the SecurityPermission class. If the assembly has execution rights, the security permission set will be unrestricted, or the flags attribute will include the execution flag.

    If the assembly must access a protected resource, (for example, to access a disk, create windows, write to the registry, and so on), check whether the appropriate permissions are set.

  2. Because the permissions granted by the enterprise, machine, and user policy levels intersect, a permission must be set at all levels for an assembly to receive it. If the assembly has insufficient permissions, check the permissions granted to the assembly at each policy level:

    caspol –enterprise –resolveperm assembly-file

    caspol –machine –resolveperm assembly-file

    caspol –user –resolveperm assembly-file

  3. If the assembly is part of a code group whose membership condition is too restrictive, or whose associated permission set does not contain the permissions needed for the assembly to function, the assembly cannot run properly. If the permissions granted to the code are insufficient, you can create a new code group that grants the assembly the permissions needed.

    You can also modify either the associated permission set or the membership condition of one of the existing code groups so that the assembly receives the appropriate permissions. For more information about how to do this, see How to: Change Code Groups Using Caspol.exe.

To analyze an assembly that accesses protected resources or runs when it should not

  • If an assembly runs but should not, or if an assembly accesses resources that it should not access (such as resources required to create dialog boxes), the assembly has probably been granted too many permissions. Use the –resolveperm option to determine which permissions the assembly has been granted. Then use the –resolvegroups option to determine which code groups it belongs to. Change either the membership conditions or the associated permission sets of the associated code groups to limit the permissions granted to the assembly.

See Also

Concepts

Security Policy Model

Reference

Code Access Security Policy Tool (Caspol.exe)

Other Resources

Configuring Security Policy Using the Code Access Security Policy Tool (Caspol.exe)

Resolving Security Policy Issues Using Caspol.exe