Allowing Partially Trusted Callers

Sharing code libraries is a common scenario with common language runtime (CLR) integration, where an assembly containing a user-defined type, stored procedure, user-defined function, user-defined aggregate, trigger, or utility class is often accessed by another assembly or application. Code libraries that are to be shared by multiple applications must be signed with a strong name.

Only applications that are fully trusted by the runtime code access security system are allowed to access a shared managed code assembly that is not explicitly marked with the System.Security.AllowPartiallyTrustedCallers attribute. A partially trusted assembly (one that is registered in SQL Server with the SAFE or EXTERNAL_ACCESS permission set) that attempts to access a strong-name signed assembly without this attribute causes a System.Security.SecurityException to be thrown. The error message you see is similar to the following:

Msg 6522, Level 16, State 1, Procedure usp_RSTest, Line 0
A .NET Framework error occurred during execution of user defined
routine or aggregate 'usp_RSTest':  System.Security.SecurityException: That assembly does not allow partially trusted callers.
System.Security.SecurityException: at
System.Security.CodeAccessSecurityEngine.ThrowSecurityException(
Assembly asm, PermissionSet granted,PermissionSet refused,
RuntimeMethodHandle rmh, SecurityAction action, Object demand,
IPermission permThatFailed) at
Microsoft.Samples.SqlServer.TestResultSet.Test()

We recommend that all assemblies registered in SQL Server, except those assemblies added to the global assembly cache, be marked with the AllowPartiallyTrustedCallers attribute so that assemblies loaded by SQL Server can access each other. Assemblies that are to be added to the global assembly cache should be thoroughly reviewed for safety before adding the AllowPartiallyTrustedCallers attribute, as the assembly would then be available to partially trusted callers from unexpected contexts. An assembly should not be made fully trusted (registered with the UNSAFE permission set in SQL Server).

For more information, see the "Using Libraries from Partially Trusted Code" section in the .NET Framework software development kit.

Example

Suppose there is a utility class that would be useful for many server-side CLR integration applications. For example, it might be a class that represents the results of invoking a query. To enable sharing of this component, this utility class is placed in a separate assembly. Then that assembly is referenced from various other assemblies that contain CLR integration objects. Because this utility class is used in many different server applications, it is reviewed carefully and any security issues are resolved. The AllowPartiallyTrustedCallers attribute is then applied to the assembly that contains the utility class, so that CLR integration objects contained in assemblies marked with SAFE or EXTERNAL_ACCESS permission sets can use the utility class and methods, even though they are in a separate assembly. For an example of how the AllowPartiallyTrustedCallers attribute is used, see the Result Set Sample.

See Also

Concepts

CLR Integration Security

Help and Information

Getting SQL Server 2005 Assistance