comment The name of the requested right is matched against the keys. An exact match has priority, otherwise the longest match from the start is used. Note that the right will only match wildcard rules (ending in a ".") during this reduction. allow rule: this is always allowed <key>com.apple.TestApp.benign</key> <string>allow</string> deny rule: this is always denied <key>com.apple.TestApp.dangerous</key> <string>deny</string> user rule: successful authentication as a user in the specified group(5) allows the associated right. The shared property specifies whether a credential generated on success is shared with other apps (i.e., those in the same "session"). This property defaults to false if not specified. The timeout property specifies the maximum age of a (cached/shared) credential accepted for this rule. The allow-root property specifies whether a right should be allowed automatically if the requesting process is running with uid == 0. This defaults to false if not specified. See remaining rules for examples. rights class rule comment Matches otherwise unmatched rights (i.e., is a default). rule default com.apple. rule default com.apple.AOSNotification.FindMyMac.modify allow-root class rule k-of-n 1 rule is-root is-admin default com.apple.AOSNotification.FindMyMac.remove allow-root class user group admin com.apple.DiskManagement. class rule comment Used by diskmanagementd to allow access to its privileged functions k-of-n 1 rule is-root is-admin on-console default com.apple.DiskManagement.internal. class rule comment Used by diskmanagementd to allow access to its privileged functions k-of-n 1 rule is-root is-admin default com.apple.DiskManagement.reserveKEK allow-root class user comment Used by diskmanagementd to allow use of the reserve KEK. group admin shared com.apple.KerberosAgent class evaluate-mechanisms comment Used to acquire Kerberos credentials. mechanisms KerberosAgent:kerberos-dialog KerberosAgent:kerberos-authenticate,privileged com.apple.OpenScripting.additions.send allow-root class user comment Used to send restricted scripting addition commands to processes that require authorization to handle the events. group admin com.apple.ReportPanic.fixRight allow-root authenticate-user class user group admin require-apple-signed shared timeout 10 com.apple.Safari.parental-controls allow-root class rule comment Checked when changing parental controls for Safari. k-of-n 1 rule is-admin authenticate-admin shared timeout 60 com.apple.Safari.show-credit-card-numbers class user comment This right is used by Safari to show credit card numbers. session-owner shared timeout 10 com.apple.Safari.show-passwords class user comment This right is used by Safari to show passwords session-owner shared timeout 10 com.apple.ServiceManagement.blesshelper allow-root class user comment Used by the ServiceManagement framework to add a privileged helper tool to the system launchd. group admin timeout 30 version 1 com.apple.ServiceManagement.daemons.modify class rule comment Used by the ServiceManagement framework to make changes to the system launchd's set of daemons. k-of-n 1 rule is-root entitled-admin-or-authenticate-admin com.apple.SoftwareUpdate.modify-settings class rule comment Checked by the Admin framework when making changes to the Software Update preference pane. rule root-or-entitled-admin-or-app-specific-admin com.apple.SoftwareUpdate.scan class rule comment Checked when user is updating software. rule root-or-entitled-admin-or-authenticate-admin com.apple.XType.fontmover.install allow-root class user group admin shared timeout 300 com.apple.XType.fontmover.remove allow-root class user group admin shared timeout 300 com.apple.XType.fontmover.restore class rule rule root-or-entitled-admin-or-authenticate-admin com.apple.ZFSManager. class rule comment Used by zfsmanager to allow access to destructive zfs functions k-of-n 1 rule is-root is-admin default shared com.apple.activitymonitor.kill class rule comment Used by Activity Monitor to authorize killing processes not owned by the user. rule entitled-admin-or-authenticate-admin shared timeout 0 com.apple.appserver.privilege.admin class rule comment For administrative access to the Application Server management tool. rule appserver-admin com.apple.appserver.privilege.user class rule comment For user access to the Application Server management tool. k-of-n 1 rule appserver-admin appserver-user com.apple.builtin.confirm-access class evaluate-mechanisms mechanisms builtin:confirm-access tries 1 com.apple.builtin.confirm-access-password class evaluate-mechanisms mechanisms builtin:confirm-access-password com.apple.builtin.generic-new-passphrase class evaluate-mechanisms mechanisms builtin:generic-new-passphrase com.apple.builtin.generic-unlock class evaluate-mechanisms mechanisms builtin:generic-unlock com.apple.container-repair class user group admin shared timeout 30 com.apple.dashboard.advisory.allow class user group admin shared timeout 300 com.apple.desktopservices class user comment For privileged file operations from within the Finder. group admin shared timeout 0 com.apple.desktopservices.scripted class user comment For scripting-initiated privileged file operations from within the Finder. group admin shared timeout 0 com.apple.docset.install class user comment Used by Xcode to restrict access to a daemon it uses to install and update documentation sets. group admin shared com.apple.iBooksX.ParentalControl class user comment Checked when making changes to the Parental Controls for iBooks. group admin shared com.apple.library-repair class user group admin com.apple.lldb.LaunchUsingXPC class user group admin com.apple.opendirectoryd.linkidentity class rule rule entitled-session-owner-or-authenticate-session-owner com.apple.pf.rule authenticate-user class user group admin timeout 0 com.apple.security.assessment.update class rule rule root-or-entitled-admin-or-authenticate-admin com.apple.server.admin.streaming allow-root class rule comment For making administrative requests to the QuickTime Streaming Server. k-of-n 1 rule is-admin authenticate-admin shared timeout 0 com.apple.trust-settings.admin allow-root class user comment For modifying Trust Settings in the Local Admin domain. group admin com.apple.trust-settings.user comment For modifying per-user Trust Settings. rule entitled-session-owner-or-authenticate-session-owner com.apple.uninstalld.uninstall class rule rule entitled-admin-or-authenticate-admin config.add. class allow comment Wildcard right for adding rights. Anyone is allowed to add any (non-wildcard) rights. config.config. class deny comment Wildcard right for any change to meta-rights for db modification. Not allowed programmatically (just edit this file). config.modify. class rule comment Wildcard right for modifying rights. Admins are allowed to modify any (non-wildcard) rights. Root does not require authentication. k-of-n 1 rule is-root authenticate-admin config.remove. class rule comment Wildcard right for deleting rights. Admins are allowed to delete any (non-wildcard) rights. Root does not require authentication. k-of-n 1 rule is-root authenticate-admin config.remove.system. class deny comment Wildcard right for deleting system rights. sys.openfile. class user comment See authopen(1) for information on the use of this right. group admin shared timeout 300 system. rule default system.burn class allow comment For burning media. system.csfde.requestpassword class user comment Used by CoreStorage Full Disk Encryption to request the user's password. extract-password group staff shared timeout 0 system.device.dvd.setregion.initial class user comment Used by the DVD player to set the region code the first time. Note that changing the region code after it has been set requires a different right (system.device.dvd.setregion.change). group admin shared system.disk.unlock class evaluate-mechanisms comment Do not modify. mechanisms DiskUnlock:prompt DiskUnlock:unlock,privileged system.global-login-items. class rule k-of-n 1 rule default version 1 system.hdd.smart class allow comment For modifying SMART settings. system.identity.write. class rule comment For creating, changing or deleting local user accounts and groups. k-of-n 1 rule is-admin authenticate-admin system.identity.write.credential class rule comment Checked when changing authentication credentials (password or certificate) for a local user account. rule default system.identity.write.self authenticate-user class user comment Checked when changing authentication credentials (password or certificate) for the current user's account. session-owner system.install.app-store-software class rule comment Checked when user is installing software from the App Store. rule entitled-appstore-or-entitled-authenticate-appstore system.install.app-store-software.standard-user authenticate-user class user comment Checked when user is installing new software. entitled group admin timeout 10 system.install.apple-config-data allow-root class rule rule entitled system.install.apple-software class rule comment Checked when user is installing Apple-provided software. rule root-or-entitled-admin-or-authenticate-admin system.install.apple-software.standard-user authenticate-user class user comment Checked when user is installing new software. entitled group admin timeout 10 system.install.iap-software allow-root authenticate-user class user entitled system.install.software allow-root class user comment Checked when user is installing new software. group admin shared timeout 300 system.keychain.create.loginkc allow-root class evaluate-mechanisms comment Used by the Security framework when you add an item to an unconfigured default keychain. mechanisms loginKC:queryCreate loginKC:showPasswordUI authinternal session-owner shared system.keychain.modify class user comment Used by Keychain Access when editing a system keychain. group admin shared timeout 30 system.login.console class evaluate-mechanisms comment Login mechanism based rule. Not for general use, yet. mechanisms builtin:policy-banner loginwindow:login builtin:login-begin builtin:reset-password,privileged builtin:forward-login,privileged builtin:auto-login,privileged builtin:authenticate,privileged PKINITMechanism:auth,privileged builtin:login-success loginwindow:success HomeDirMechanism:login,privileged HomeDirMechanism:status MCXMechanism:login loginwindow:done version 1 system.login.done class evaluate-mechanisms mechanisms system.login.screensaver class rule comment The owner or any administrator can unlock the screensaver, set rule to "authenticate-session-owner-or-admin" to enable SecurityAgent. rule use-login-window-ui version 1 system.login.tty class evaluate-mechanisms mechanisms push_hints_to_context authinternal tries 1 system.preferences allow-root class user comment Checked by the Admin framework when making changes to certain System Preferences. group admin shared system.preferences.accessibility class user comment Checked when making changes to the Accessibility Preferences. group admin shared timeout 0 system.preferences.accounts allow-root class user comment Checked by the Admin framework when making changes to the Users & Groups preference pane. group admin shared system.preferences.datetime allow-root class user comment Checked by the Admin framework when making changes to the Date & Time preference pane. group admin shared system.preferences.energysaver allow-root class user comment Checked by the Admin framework when making changes to the Energy Saver preference pane. group admin shared system.preferences.location class rule comment For changing the network location from the Apple menu. k-of-n 1 rule on-console is-admin is-root system.preferences.network allow-root class user comment Checked by the Admin framework when making changes to the Network preference pane. group admin shared system.preferences.nvram class rule k-of-n 1 rule entitled admin system.preferences.parental-controls class user comment Checked when making changes to the Parental Controls preference pane. group admin shared system.preferences.printing allow-root class user comment Checked by the Admin framework when making changes to the Printing preference pane. group admin shared system.preferences.security allow-root class user comment Checked by the Admin framework when making changes to the Security preference pane. group admin shared system.preferences.security.remotepair class user comment Used by Bezel Services to gate IR remote pairing. entitled-group group admin shared timeout 30 version 1 system.preferences.sharing allow-root class user comment Checked by the Admin framework when making changes to the Sharing preference pane. group admin shared system.preferences.softwareupdate allow-root class user comment Checked by the Admin framework when making changes to the Software Update preference pane. group admin shared system.preferences.startupdisk allow-root class user comment Checked by the Admin framework when making changes to the Startup Disk preference pane. group admin shared system.preferences.timemachine allow-root class user comment Checked by the Admin framework when making changes to the Time Machine preference pane. group admin shared system.preferences.version-cue class rule comment For gating modifications to Adobe Version Cue preferences. rule authenticate-admin system.print.admin class rule rule root-or-lpadmin system.print.operator allow-root class user group _lpoperator shared system.printingmanager class rule comment For printing to locked printers. k-of-n 1 rule is-admin authenticate-admin system.privilege.admin allow-root class user comment Used by AuthorizationExecuteWithPrivileges(...). AuthorizationExecuteWithPrivileges() is used by programs requesting to run a tool as root (e.g., some installers). group admin shared timeout 300 system.privilege.taskport allow-root class user comment Used by task_for_pid(...). Task_for_pid is called by programs requesting full control over another program for things like debugging or performance analysis. This authorization only applies if the requesting and target programs are run by the same user; it will never authorize access to the program of another user. WARNING: administrators are advised not to modify this right. group _developer shared timeout 36000 system.privilege.taskport.debug allow-root class user comment For use by Apple. WARNING: administrators are advised not to modify this right. group _developer shared timeout 36000 system.privilege.taskport.safe class allow comment For use by Apple. system.restart class evaluate-mechanisms comment Checked if the foreground console user tries to restart the system while other users are logged in via fast-user switching. mechanisms RestartAuthorization:restart builtin:authenticate,privileged RestartAuthorization:success system.services.directory.configure allow-root class user comment For making Directory Services changes. group admin shared system.services.systemconfiguration.network allow-root class user comment For making change to network configuration via System Configuration. entitled-group group admin version 1 vpn-entitled-group system.sharepoints. allow-root class user comment Checked when making changes to the Sharepoints. group admin shared system.shutdown class evaluate-mechanisms comment Checked if the foreground console user tries to shut down the system while other users are logged in via fast-user switching. mechanisms RestartAuthorization:shutdown builtin:authenticate,privileged RestartAuthorization:success system.volume. class rule comment system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount) k-of-n 1 rule is-root is-admin authenticate-admin-30 system.volume.external. class rule comment system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount) k-of-n 1 rule is-root is-admin on-console authenticate-admin-30 system.volume.external.adopt class rule comment system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount) k-of-n 1 rule is-root is-admin authenticate-admin-30 system.volume.removable. class rule comment system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount) k-of-n 1 rule is-root is-admin on-console authenticate-admin-30 system.volume.removable.adopt class rule comment system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount) k-of-n 1 rule is-root is-admin authenticate-admin-30 rules admin class user group admin shared allow class allow comment Allow anyone. app-specific-admin class user group admin appserver-admin class user group appserveradm appserver-user class user group appserverusr authenticate class evaluate-mechanisms mechanisms builtin:authenticate builtin:reset-password,privileged builtin:authenticate,privileged PKINITMechanism:auth,privileged authenticate-admin class user comment Authenticate as an administrator. group admin shared timeout 0 authenticate-admin-30 class user comment Like the default rule, but credentials remain valid for only 30 seconds after they've been obtained. An acquired credential is shared by all clients. group admin shared timeout 30 authenticate-appstore-30 class user group _appstore shared timeout 30 authenticate-developer class user comment Authenticate as a developer. group _developer shared timeout 36000 authenticate-session-owner class user comment Authenticate as the session owner. session-owner authenticate-session-owner-or-admin allow-root class user comment Authenticate either as the owner or as an administrator. group admin session-owner shared authenticate-session-user class user comment Same as authenticate-session-owner. session-owner default class user comment Default rule. Credentials remain valid for 5 minutes after they've been obtained. An acquired credential is shared by all clients. group admin shared timeout 300 entitled class evaluate-mechanisms mechanisms builtin:entitled,privileged tries 1 entitled-admin class rule k-of-n 2 rule is-admin entitled entitled-admin-or-authenticate-admin class rule k-of-n 1 rule entitled-admin authenticate-admin-30 entitled-appstore class rule k-of-n 2 rule is-appstore entitled entitled-appstore-or-entitled-authenticate-appstore class rule k-of-n 1 rule entitled-appstore entitled-authenticate-appstore entitled-authenticate-admin class rule k-of-n 2 rule entitled authenticate-admin-30 entitled-authenticate-appstore class rule k-of-n 2 rule entitled authenticate-appstore-30 entitled-session-owner class rule k-of-n 2 rule is-session-owner entitled entitled-session-owner-or-authenticate-session-owner class rule k-of-n 1 rule entitled-session-owner authenticate-session-owner is-admin authenticate-user class user comment Verify that the user asking for authorization is an administrator. group admin shared is-appstore authenticate-user class user group _appstore shared is-developer authenticate-user class user comment Verify that the user asking for authorization is a developer. group _developer is-lpadmin authenticate-user class user group _lpadmin is-root allow-root authenticate-user class user comment Verify that the process that created this AuthorizationRef is running as root. is-session-owner allow-root authenticate-user class user comment Verify that the requesting process is running as the session owner. session-owner lpadmin class user group _lpadmin shared on-console class evaluate-mechanisms mechanisms builtin:on-console tries 1 root-or-entitled-admin-or-admin class rule k-of-n 1 rule is-root entitled-admin admin root-or-entitled-admin-or-app-specific-admin class rule k-of-n 1 rule is-root entitled-admin app-specific-admin root-or-entitled-admin-or-authenticate-admin class rule k-of-n 1 rule is-root entitled-admin-or-authenticate-admin root-or-lpadmin class rule k-of-n 1 rule is-root is-lpadmin lpadmin use-login-window-ui allow-root class user comment Authenticate either as the owner or as an administrator. group admin session-owner shared