ASP.NET Policy Mechanics
The application domain policy for trust levels consists of a policy level (for example, an instance of the System.Security.Policy.PolicyLevel class) that is loaded and applied to the application domain as the application domain policy. The policy tree itself is the same for High, Medium, Low, and Minimal trust levels (no policy is applied for Full), except for the set of granted permissions in the ASP.NET permission set.
After computing the application domain policy for a given application (full-trust applications are exempt from this step), the policy is applied to the application domain. Application domain policy intersects with the various other policy levels (Enterprise, Machine, and User) so that it can only further restrict, not expand, the existing policy.
To see how application domain policy is used to restrict granted permissions, consider the fictitious permission sets and policy levels shown in the following table.
Level |
Name |
Permissions |
---|---|---|
Enterprise |
P1 |
{A, B, C, D} |
Machine |
P2 |
{A, B, C} |
User |
P3 |
{A, B, C} |
Application Domain |
P4 |
{A, B} |
The simplified application permission (ignoring permission requests) of these policy sets would be the intersection of the permissions granted at the various levels. Thus, the intersection of P1, P2, P3, and P4 is {A, B}.
Managing Policy Files
You can edit policy files by hand. You can use the .NET Framework Configuration Tool or the Code Access Security Policy Tool to administer security policy for the enterprise, machine, or user levels. For more information about using these tools, see Administering Security Policy.