21.6 Creating New Permission Sets

Technique

Creating a code group is similar in many ways to creating a permission set, and the tools are the same: the .NET Configuration tool, caspol , and editing the XML policy files directly. Modifying the XML files is advanced, and usually not recommended, so we do not consider that option here.

If you want to use the .NET Configuration tool, you should use the treeview pane to navigate to the Permission Sets node under whichever level you want to set security policy for (enterprise, machine, or user ). When you do that, you normally find that the listview contains a Create New Permission Set link, but if it's absent, you can just right-click on the Permission Sets node in the treeview and select New from the context menu. You then walk through a series of dialogs asking you to specify the details of the permission set to be created.

Because we've already discussed the equivalent process for creating a code group, we don't go show the dialogs in detail for a permission set here. The most significant dialog in the chain is arguably the one in Figure 21.7, which asks you to select the permissions to be included in the new permission set.

Each time you click on the Add button to add a permission in this dialog, you see a new dialog asking you to specify the details of the access to resources to be granted (such as for the File IO permission, what files or folders the permission set should grant access to).

Just as for adding code groups, you have the option to import the permission set from an XML file. You can find details on the XML file format at the same URL mentioned earlier, http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconimportingnewsecuritycomponentstosecuritypolicyfromxmlfiles.asp.

If you want to use caspol , the required flag is “addpset (or “ap ):

 c:\> caspol addpset File.xml 

However, as the code snippet shows, adding a permission set using caspol requires you to have previously defined the permission set in an XML file, in the same format required for the .NET Configuration tool.

Comments

Many of the same precautions apply to adding new permission sets as to adding code groups, and you should think carefully about precisely what permissions you need to include in a permission set. Do not assign more permissions than are going to be required to avoid opening any security loopholes. Be very specific with the permissions you grant; for example, if your organization's code often needs access to certain folders on the C: drive, grant access to those folders, not to the entire C: drive. Be especially careful with permissions that allow the execution of unsafe or unmanaged code and permissions that allow access to the Registry or sensitive or operating-system files. If you find that you need to add a sensitive permission, consider whether this need is caused by poor code design, for example, using the Registry when you could have used isolated storage.