The System.Security.Policy namespace contains classes that represent evidence and the key elements of security policy, including membership conditions, code groups, and policy levels. Security policy is the set of configurable rules that provide a mapping between evidence and permissions. Specifically, the runtime uses security policy to determine which code-access permissions to grant to an assembly or application domain based on the set of evidence that the assembly or application domain presentsa process known as policy resolution.
.NET divides security policy into four policy levels: enterprise, machine, user, and application domain. Each policy level consists of a set of code groups organized into a tree structure. There are different types of code groups, but most contain a membership condition (based on the values of evidence objects) and a permission set that the code group grants to assemblies and application domains that qualify for membership. Some code groups contain a set of child code groups, which member assemblies and application domains are also compared to for membership, thus creating a tree structure.
During policy resolution, the runtime traverses the tree of code groups in each policy level and compares the evidence presented by the assembly or application domain with the membership condition of each code group. If the evidence meets the code group's membership condition, then the runtime grants the assembly or application domain the permissions contained in the code group's permission set. To calculate the permissions granted by a policy level, the runtime takes the union of all the permission sets granted by the code groups to which an assembly or application domain qualifies for membership. The final set of permissions is calculated by intersecting the permission sets granted by each policy level. Different types of code groups and code group attributes can alter the way that the runtime combines code group permission sets.
Figure 28-1 and Figure 28-2 show the types in this namespace.