Re: HOWTO Run CASPOL for full trust on UserControl.



"ATS" <ATS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:29C62383-69E1-4250-A7D4-B9586A1D96E8@xxxxxxxxxxxxxxxx
I found the solution, and it does override the machine level policy. I'm
disappointed that MS did not have the simple answer for this:

caspol -enterprise -addgroup 1 -site MyWebSite FullTrust -name
"ThisOVerridesMachine" -description "This code group will override
machine."
-levelfinal on

While overriding in this way is certainly possible, I wouldn't recommend it
as a first choice general solution since it can make CAS policy management
more complex for network administrators. Many/most organizations will grant
such additional permissions via changes to the machine policy, and it's
usually a good idea to stay within the "expected" policy modification set
for any given organization. That said, if your organization is already
performing overrides at the enterprise policy level, there's presumably no
reason to avoid this approach for your application.


I've already tested this, and it works. I've even tested it on a machine
that did not "Trust" the website I put in. The "levelfinal on" was the key
to
make this work. What made it possible to find this was to download the 2.0
SDK and get the GUI version of CASPOL, and play with it until I could find
an
answer, as the whole documentation for CASPOL is very confusing.

For what ever it is worth. I did have my .NET UserControl signed with a
strong name. I suspect that had nothing to do with the "levelfinal on"
working, but I thought I'd mention it anyways.

You're right, the strong name isn't relevant. LevelFinal is a property of
the code group and has nothing to do with properties of any assembly that
meets the membership criteria for the code group. If you would like more
information about LevelFinal, see
http://msdn2.microsoft.com/en-us/library/3wxtc9hf.aspx.


.