Customizing the Medium Trust Policy

Microsoft Enterprise Library 5.0

DropDown image DropDownHover image Collapse image Expand image CollapseAll image ExpandAll image Copy image CopyHover image

The tables in the following sections show the additional permissions—beyond those granted by default in the medium trust policy—that may be required by your application. You need to grant these additional permissions only if you want to use these specific features. Unless otherwise noted, make these modifications in the custom policy file.

For extended examples of how to modify a custom policy file, see How To: Use Medium Trust in ASP.NET 2.0 on MSDN. If you are using a partial-trust policy other than medium trust, other restrictions and permissions may apply. For a table that lists the different permissions and the trust policies that allow them, see ASP.NET Code Access Security on MSDN.

These additional permissions are the following:

The next sections describe these permissions.

General Permissions

The following table lists the additional permissions that may be required by core features of Enterprise Library.

Feature

Subfeature

Permissions

Configuration

Not applicable

Add the ConfigurationPermission class to the <SecurityClasses> element. Within the <IPermission> element, set the Access attribute to Unrestricted to read the relevant sections in the policy file. Alternatively, add requirePermission = false to the relevant sections in the configuration file.

Configuration

File configuration source

Add the FileIOPermission class to the <SecurityClasses> element. Within the <IPermission> element, set the Read and PathDiscovery attributes to the configuration file's folder and to the Machine.config file.

Instrumentation

Performance counters

Add the PerformanceCounterPermission class to the <SecurityClasses> element. Within the <IPermission> element, set the Access attribute to Write.

Instrumentation

Event log

Add the EventLogPermission class to the <SecurityClasses> element. Within the <IPermission> element, set the Access attribute to Administer for the local computer.




Caching Application Block

The following table lists the additional permissions that may be required by the Caching Application Block.

Feature

Subfeature

Permissions

Storage

Database

Add the SecurityPermission class to the <SecurityClasses> element. Within the <IPermission> element, add the SerializationFormatter flag to the Flags attribute.

Storage

IsolatedStorage

Add the SecurityPermission class to the <SecurityClasses> element. Within the <IPermission> element, add the SerializationFormatter flag to the Flags attribute.

Encryption

SymmetricStorage EncryptionProvider (from the Cryptography Application Block)

Add the DataProtectionPermission class to the <SecurityClasses> element. Within the <IPermission> element, add the ProtectData and UnprotectData flags to the Flags attribute.

Instrumentation

Performance counters

Add the PerformanceCounterPermission class to the <SecurityClasses> element. Within the <IPermission> element, set the Access attribute to Write on the Enterprise Library Caching Counters category.

Cryptography Application Block

The following table lists the additional permissions that may be required by the Cryptography Application Block.

Feature

Subfeature

Permissions

General

Not applicable

Add the DataProtectionPermission class to the <SecurityClasses> element. Within the <IPermission> element, add the ProtectData and UnprotectData flags to the Flags attribute.

Instrumentation

Performance counters

Add the PerformanceCounterPermission class to the <SecurityClasses> element. Within the <IPermission> element, set the Access attribute to Write on the Enterprise Library Cryptography Counters category.

Data Access Application Block

The following table lists the additional permissions that may be required by the Data Access Application Block.

Feature

Subfeature

Permissions

Oracle database

Not applicable

Add the OraclePermission class to the <SecurityClasses> element. Within the <IPermission> element, set the Unrestricted attribute to true.

Odbc database

Not applicable

Add the OdbcPermission class to the <SecurityClasses> element. Within the <IPermission> element, set the Unrestricted attribute to true.

OleDb database

Not applicable

Add the OleDbPermission class to the <SecurityClasses> element. Within the <IPermission> element, set the Unrestricted attribute to true.

SqlCe database

Not applicable

SQL Server Compact Edition is not supported under partial trust.

Instrumentation

Performance counters

Add the PerformanceCounterPermission class to the <SecurityClasses> element. Within the <IPermission> element, set the Access attribute to Write on the Enterprise Library Data Counters category.

Exception Handling Application Block

The following table lists the additional permissions that may be required by the Exception Handling Application Block.

Feature

Subfeature

Permissions

General

Context information

Add the SecurityPermission class to the <SecurityClasses> element. Within the <IPermission> element, add the UnmanagedCode flag to the Flags attribute.

Instrumentation

Performance counters

Add the PerformanceCounterPermission class to the <SecurityClasses> element. Within the <IPermission> element, set the Access attribute to Write on the Enterprise Library exception handling counters category.

Logging Application Block

The following table lists the additional permissions that may be required by the Logging Application Block.

Feature

Subfeature

Permissions

General

Context information

Add the SecurityPermission class to the <SecurityClasses> element. Within the <IPermission> element, add the UnmanagedCode flag to the Flags attribute.

Tracing

Not applicable

Add the SecurityPermission class to the <SecurityClasses> element. Within the <IPermission> element, add the UnmanagedCode flag to the Flags attribute.

Trace listeners

General

If you want to use the TraceOptions.Callstack method, add the EnvironmentPermission class to the <SecurityClasses> element. Within the <IPermission> element, set the Access attribute to Unrestricted. If you want to use the TraceOptions.ProcessId method, add the SecurityPermission class to the <SecurityClasses> element. Within the <IPermission> element, add the UnmanagedCode flag to the Flags attribute.

Trace listeners

Event Log

Add the EventLogPermission class to the <SecurityClasses> element. Within the <IPermission> element, set the Access attribute to Administer to the local computer.

Trace listeners

Message queuing

Message queuing is not supported under partial trust.

Trace listeners

Flat File and Rolling Flat File

Add the FileIOPermission class to the <SecurityClasses> element. Within the <IPermission> element, set the Read and Write attributes to the destination file's folder. Set the PathDiscovery and Append attributes to the file. (The file can inherit the permissions from its folder).

Trace listeners

WMI

WMI is not supported under partial trust.

Trace listeners

Database

Add the appropriate database permission for the target database (see the earlier section for the Data Access Application Block).

Formatters

BinaryLogFormatter class

Add the SecurityPermission class to the <SecurityClasses> element. Within the <IPermission> element, add the SerializationFormatter flag to the Flags attribute.

Formatters

TextFormatter class

There are no permissions to add, although some tokens may not be available if they refer to properties that are not available under partial trust.

General

ContextItems class

Add the SecurityPermission class to the <SecurityClasses> element. Within the <IPermission> element, add the Infrastructure flag to the Flags attribute.

Instrumentation

Performance counters

Add the PerformanceCounterPermission class to the <SecurityClasses> element. Set the Access attribute to Write on the Enterprise Library Logging Counters category.

Security Application Block

The following table lists the additional permissions that may be required by the Security Application Block.

Feature

Subfeature

Permissions

General

Not applicable

If the application uses IIdentity and IPrincipal objects instead of GenericIdentity and GenericPrincipal, it may require additional permissions. For example, the WindowsIdentity object requires that you include the SecurityPermission class in the <SecurityClasses> element and that, within the <IPermission> element, you add the UnmanagedCode and ControlPrincipal flags to the Flags attribute.

Authorization

AzMan (Authorization Manager)

AzMan is not supported under partial trust. For more information, see Limitations When Using Partial Trust.

Instrumentation

Performance counters

Add the PerformanceCounterPermission class to the <SecurityClasses> element. Within the <IPermission> element, set the Access attribute to Write on the Enterprise Library Security Counters category.

Policy Injection Application Block

The following table lists the additional permissions that may be required by the Policy Injection Application Block.

Feature

Subfeature

Permissions

Core

Not applicable

No special permissions required over those required for general and medium trust.

WinForms

Not applicable

No special permissions required over those required for general and medium trust.

Instrumentation

Not applicable

Add the PerformanceCounterPermission class to the <SecurityClasses> element. Set the Access attribute to Write on the Enterprise Library Logging Counters category.

CallHandlers

PerformanceCountersInstaller

Requires full trust.

CallHandlers

Other handlers

Each has the same requirements as the application block it uses.

Injectors

Remoting

Add the SecurityPermission class to the <SecurityClasses> element. Within the <IPermission> element, set the Infrastructure attribute to true.

Validation Application Block

The following table lists the additional permissions that may be required by the Validation Application Block.

Feature

Subfeature

Permissions


Core

Not applicable

No special permissions required over those required for general and medium trust.


WinForms

Not applicable

No special permissions required over those required for general and medium trust.


Instrumentation

Not applicable

Add the PerformanceCounterPermission class to the <SecurityClasses> element. Set the Access attribute to Write on the Enterprise Library logging counters category.