We need to provide the following:
- All permissions for container implementation code.
- Limited permissions as defined for surrogates in each surrogate operating environment. It‘s possible that different surrogates might have different permissions sets according to some criteria (don’t know what that might be, perhaps different permissions for different connectors)
- Limited permissions for other applications loaded into the container
- Support for dynamic assignment of permissions to proxies by the proxy verifiers, such as would be allowed by DynamicPolicyProvider.
- Should probably still support UmbrellaGrant, same as FilePolicyProvider.