Windows code security questions

What s the difference between code-based security and role-based security?
Which one is better?
Code security is the approach of using permissions and permission sets for a
given code to run. The admin, for example, can disable running executables off
the Internet or restrict access to corporate database to only few applications. Rolebased
security most of the time involves the code running with the privileges of
the current user. This way the code cannot supposedly do more harm than mess
up a single user account. There s no better, or 100% thumbs-up approach,
depending on the nature of deployment, both code-based and role-based security
could be implemented to an extent.
How can you work with permissions from your .NET application?
You can request permission to do something and you can demand certain
permissions from other apps. You can also refuse permissions so that your app is
not inadvertently used to destroy some data.
How can C# app request minimum permissions?
using System.Security.Permissions;
[assembly:FileDialogPermissionAttribute(SecurityAction.Request
Minimum, Unrestricted=true)]
What s a code group?
A code group is a set of assemblies that share a security context.
What s the difference between authentication and authorization?
Authentication happens first. You verify user s identity based on credentials.
Authorization is making sure the user only gets access to the resources he has
credentials for.
What are the authentication modes in ASP.NET?
None, Windows, Forms and Passport.
Are the actual permissions for the application defined at run-time or compiletime?

The CLR computes actual permissions at runtime based on code group membership
and the calling chain of the code.