How to: Configure Security Settings for Managed Code Form Templates
You can customize the permission set that is applied to an InfoPath managed code form template by using the .NET Configuration snap-in.
The common language runtime (CLR) hosted by InfoPath will look for a predefined code group named InfoPath Form Templates at the Machine policy level under the All_Code group. The CLR will apply the permission sets defined under that group to the application domain (AppDomain) where the form code runs. This allows you to customize the permission sets that are granted to InfoPath managed code form templates. For example, you can grant a form template downloaded from http://MySite permission to access the Active Directory.
For custom security policy defined using the .NET Configuration snap-in to be applied, it must be deployed on all the client computers where the form template will run.
For more information on the security model for InfoPath managed code form templates, see About the Security Model for Managed Code Form Templates
Creating a Code Group for InfoPath Form Templates
The following procedure will create a code group that grants no permissions to InfoPath managed code form templates (except those that are installed or registered on your local machine) under which you can assign permission sets to InfoPath form templates located at specific URLs or UNCs. For information on how to create and assign permission sets to code groups within the InfoPath Form Templates
code group, see the following procedure.
Note
Unlike the Microsoft .NET Framework 1.1 Configuration tool that is installed with the Microsoft .NET Framework 1.1 Redistributable Package, the Microsoft .NET Framework 2.0 Configuration is installed only with the Microsoft .NET Framework 2.0 Software Development Kit (SDK).
Create a custom security code group for InfoPath managed code forms
From the Start menu, point to Administrative Tools, and then click Microsoft .NET Framework 2.0 Configuration.
If you don't have Administrative Tools on the Start menu, from the Control Panel open Administrative Tools, and then double-click Microsoft .NET Framework 2.0 Configuration.
Under My Computer, expand the Runtime Security Policy node, the Machine node, Code Groups node, the All_Code node, and then right-click the All_Code node and click New to open the Create Code Group dialog box.
Name the new code group
InfoPath Form Templates
(this text must be exact), and then click Next.Set the condition type for the code group to All Code, and then click Next.
Click Use existing permission set, assign the Nothing permission set to the code group, click Next, and then click Finish.
To apply the new settings, close and restart InfoPath.
If you prefer, you can manage the permission set for all InfoPath managed code form templates by assigning a permission set other than the Nothing permission set to the InfoPath Form Templates code group.
Note
You can change the permission set for a security code group at any time by right-clicking the group in the .NET Configuration 2.0 snap-in, clicking Properties, and then clicking the Permission Set tab.
Assigning FullTrust to Forms at a Specific URL or UNC
You can create code groups under the InfoPath Form Templates group to grant the full trust permission set to form templates from a particular URL or UNC location. After doing so, every form template published to the specified location will run fully trusted.
Note
A form template that is loaded from the local computer (My Computer Zone code group) is loaded by InfoPath using a random URL. For this reason, you cannot use the following procedure to grant the FullTrust permission set to such a form template. To grant a locally installed form template the FullTrust permission set, use one of the procedures described in the "Deploying Form Templates That Require Full Trust" section of the How to: Deploy InfoPath Projects topic.
Assign FullTrust to InfoPath forms at a specific URL or UNC location
From the Start menu, point to Administrative Tools, and then click Microsoft .NET Framework 2.0 Configuration.
If you don't have Administrative Tools on the Start menu, from the Control Panel open Administrative Tools, and then double-click Microsoft .NET Framework 2.0 Configuration.
Under My Computer, expand the Runtime Security Policy node, the Machine node, Code Groups node, the All_Code node, and then click the InfoPath Form Templates node.
In Tasks list in the right pane, click Add a Child Code Group, name the code group, and then click Next.
In the Choose the condition type for this code group list, select URL, and then enter the URL or UNC for the location of the InfoPath managed code form templates that you want to grant the FullTrust permission set.
To restrict the permission set to a single form template, specify the full path to that particular form template. For example:
\\MyServer\MyShare\MyFormTemplate.xsn
http://MySite/MySubsite/MyFormTempate.xsn
To grant the permission set to all form templates within a URL or UNC, omit the name of the template and add an asterisk at the end of the URL or UNC. For example:
\\MyServer\MyShare\*
http://MySite/MySubsite/*
Click Next, and then click Use existing permission set and assign the FullTrust permission set to the code group.
Click Next, and then click Finish.
To apply the new settings, close and restart InfoPath.
Note
To apply a more restrictive or custom permission set, choose the appropriate option instead of FullTrust in step 4.
Creating a Deployment Package for InfoPath Security Policy
After defining custom security policy for InfoPath managed-form templates, you can create a Windows Installer Package (.msi) for deploying this security policy on users' computers by using Group Policy or Microsoft Systems Management Server.
Create a deployment package for custom InfoPath security policy
From the Start menu, point to Administrative Tools, and then click Microsoft .NET Framework 2.0 Configuration.
If you don't have Administrative Tools on the Start menu, from the Control Panel open Administrative Tools, and then double-click Microsoft .NET Framework 2.0 Configuration.
Right-click Runtime Security Policy, and then click Create Deployment Package.
Under Select the security policy to deploy, click Machine, specify the folder and file name for the Windows Installer Package, and then click Next.
Click Finish to create the deployment package.
For information on how to use the .NET Framework Configuration tool, search Visual Studio .NET Help or the MSDN Web site for ".NET Framework Configuration Tool (Mscorcfg.msc)".