none
Cannot set permissions to code group RRS feed

  • Question

  • I'm studying for the 70-536 exam and having difficulty setting up a codegroup with proper permissions.  I'm successful in setting up a codegroup but no matter what permission set I give to my code gorup the permissions always show "Unrestricted" when I evaluate assembly.  Actually, the assembly doesn't even recognize the code group...more on that....

    First, I tried file://127.0.0.1/C$/MyAssemblyName.exe then read something about it on the internet that the framework may not recognize loopback address (something like that).  The codegroup would NEVER be recognized.  So, what I did was sign the assembly and used the strongname as the membership condition for the codegroup and finally the codegroup was recognized!  BUT, when I evaluated the assembly it STILL shows "Unrestricted" even though I set the permission set to something different for my new code group.

    So, I'm at least past the codegroup issue (although I don't understand why I can't use the "file" and need to depend on strongname), but I still can't get permissions to work.

    Any ideas?  I'm having difficulty working through these labs and if I can't get things to work then I'll obviously not be adequately prepared to answer questions for the exam.

    Thanks in advance!
    Joe Kehnast
    Sunday, March 14, 2010 3:05 PM

Answers

  • Hi,

    You can use the .NET Framework Configuration tool (Mscorcfg.msc) to c hange the permission set associated with an existing code group :

       1.  Run the .NET Framework Configuration tool (Mscorcfg.msc). At the command prompt, type the following:

          %Systemroot%\Microsoft.NET\Framework\versionNumber\Mscorcfg.msc

       2. Expand the Runtime Security Policy node.

       3. Expand the node for the policy level that contains the code group you want to modify.

       4. Expand the Code Groups node, and then expand the tree under the All_code node.

       5. Right-click the appropriate code group and select Properties.

       6. Click the Permission Set tab.

       7. Select the permission set you want to associate with the code group from the drop-down list and click OK.


    Sincerely,
    Eric
    MSDN Subscriber Support in Forum
    If you have any feedback of our support, please contact msdnmg@microsoft.com.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    • Marked as answer by eryang Tuesday, June 29, 2010 3:29 AM
    Tuesday, March 16, 2010 3:07 AM
  • Hi Joe,

    > I'm successful in setting up a codegroup but no matter what permission set I give to my code gorup the permissions always show "Unrestricted" when I evaluate assembly. 

    CAS iterates through all policy levels, and on each of them it traverses the defined code groups to find those matching the evidence. All code groups that meet the membership condition will be gathered in a code group union. The matching code groups from all policy levels will be then intersected with each other, and on this base the permissions will be granted or denied.

    When you run an assembly from the local hard drive, this evidence is by default enough for the CAS to grant FullTrust (see the My_Computer_Zone code group). To make your new, restrictive code group the only code group that governs over what permission set is granted by CAS you have to set two policy attributes: Exclusive and Level Final. You can check the corresponding checkboxes when you show the properties for a code group in the .NET Configuration Tool:

     [ ]  This policy level will only have the permissions from the permission set associated with this code group (exclusive) 
     [ ]  Policy levels below this level will not be evaluated (level final)



    Marcel

    • Marked as answer by eryang Tuesday, June 29, 2010 3:29 AM
    Tuesday, March 16, 2010 12:56 PM

All replies

  • Hi,

    You can use the .NET Framework Configuration tool (Mscorcfg.msc) to c hange the permission set associated with an existing code group :

       1.  Run the .NET Framework Configuration tool (Mscorcfg.msc). At the command prompt, type the following:

          %Systemroot%\Microsoft.NET\Framework\versionNumber\Mscorcfg.msc

       2. Expand the Runtime Security Policy node.

       3. Expand the node for the policy level that contains the code group you want to modify.

       4. Expand the Code Groups node, and then expand the tree under the All_code node.

       5. Right-click the appropriate code group and select Properties.

       6. Click the Permission Set tab.

       7. Select the permission set you want to associate with the code group from the drop-down list and click OK.


    Sincerely,
    Eric
    MSDN Subscriber Support in Forum
    If you have any feedback of our support, please contact msdnmg@microsoft.com.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    • Marked as answer by eryang Tuesday, June 29, 2010 3:29 AM
    Tuesday, March 16, 2010 3:07 AM
  • Hi Joe,

    > I'm successful in setting up a codegroup but no matter what permission set I give to my code gorup the permissions always show "Unrestricted" when I evaluate assembly. 

    CAS iterates through all policy levels, and on each of them it traverses the defined code groups to find those matching the evidence. All code groups that meet the membership condition will be gathered in a code group union. The matching code groups from all policy levels will be then intersected with each other, and on this base the permissions will be granted or denied.

    When you run an assembly from the local hard drive, this evidence is by default enough for the CAS to grant FullTrust (see the My_Computer_Zone code group). To make your new, restrictive code group the only code group that governs over what permission set is granted by CAS you have to set two policy attributes: Exclusive and Level Final. You can check the corresponding checkboxes when you show the properties for a code group in the .NET Configuration Tool:

     [ ]  This policy level will only have the permissions from the permission set associated with this code group (exclusive) 
     [ ]  Policy levels below this level will not be evaluated (level final)



    Marcel

    • Marked as answer by eryang Tuesday, June 29, 2010 3:29 AM
    Tuesday, March 16, 2010 12:56 PM
  • Hi Joe,

    How about the issue status now? please feel free to let us know if you have any concern.


    Sincerely,
    Eric
    MSDN Subscriber Support in Forum
    If you have any feedback of our support, please contact msdnmg@microsoft.com.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    Friday, March 19, 2010 3:08 AM