Code Group Attributes

Article
02/04/2013

Important
In the .NET Framework version 4, the common language runtime (CLR) is moving away from providing security policy for computers. Microsoft is recommending the use of Windows Software Restriction Policies as a replacement for CLR security policy. The information in this topic applies to the .NET Framework version 3.5 and earlier; it does not apply to version 4.0 and later. For more information about this and other changes, see Security Changes in the .NET Framework 4.

In the .NET Framework version 4, the common language runtime (CLR) is moving away from providing security policy for computers. Microsoft is recommending the use of Windows Software Restriction Policies as a replacement for CLR security policy. The information in this topic applies to the .NET Framework version 3.5 and earlier; it does not apply to version 4.0 and later. For more information about this and other changes, see Security Changes in the .NET Framework 4.

Code groups can have attributes that affect how the common language runtime determines an assembly's allowed permission set. The following table shows the attributes that can be applied to code groups.

Attribute	Description
Exclusive	The allowed permission set for the policy level is the permission set associated with the code group that has this attribute. When all policy levels are considered, the runtime never grants the code more permissions than those associated with the Exclusive code group. Within a given policy level, code can be a member of no more than one code group that has the Exclusive attribute.
LevelFinal	No policy level, except the application domain level, below the one containing this code group is considered when checking code group membership and granting permissions. Enterprise policy is the highest level of policy, followed by machine policy, user policy, and then application domain policy. For example, if the LevelFinal attribute is applied to a code group in enterprise policy and some code matches the membership condition of this code group, then machine and user level policy are not applied to that code.

Exclusive

The allowed permission set for the policy level is the permission set associated with the code group that has this attribute. When all policy levels are considered, the runtime never grants the code more permissions than those associated with the Exclusive code group. Within a given policy level, code can be a member of no more than one code group that has the Exclusive attribute.

LevelFinal

No policy level, except the application domain level, below the one containing this code group is considered when checking code group membership and granting permissions. Enterprise policy is the highest level of policy, followed by machine policy, user policy, and then application domain policy. For example, if the LevelFinal attribute is applied to a code group in enterprise policy and some code matches the membership condition of this code group, then machine and user level policy are not applied to that code.

A code group can be marked with both the Exclusive and LevelFinal attributes.

Code Group Attributes

See Also

Other Resources

Additional resources