This chapter explains how the runtime uses security policy to determine which permissions to grant an assembly or application domain based on its identity. We begin with a high-level explanation of security policy and clarify its relationship to evidence and permissions. We describe the structure of security policy and explain how the component elements interact at runtime. We explain how to manipulate security policy programmatically and demonstrate the use of application domain policy. Finally, we continue the development of the CAS extensions started in Chapter 6, showing you how to use custom evidence in security policy configuration.
Security policy is the set of configurable rules that provide a mapping between evidence and permissions. Specifically, the runtime uses security policy to determine which code-access permissions to grant an assembly or application domain based on the set of evidence that the assembly or application domain presents—a process known as policy resolution .
Security policy only determines the code-access permissions assigned to an assembly or application domain. The runtime assigns identity permissions as a direct result of the assembly or application domain presenting certain types of evidence. Role-based permissions are based on the identity of the user under which the application is executing. See Chapter 7 for a complete description of the different permission types.
The security policy mechanism ...