comment The name of the requested right is matched against the keys. An exact match has priority, otherwise the longest match from the start is used. Note that the right will only match wildcard rules (ending in a ".") during this reduction. allow rule: this is always allowed <key>com.apple.TestApp.benign</key> <string>allow</string> deny rule: this is always denied <key>com.apple.TestApp.dangerous</key> <string>deny</string> user rule: successful authentication as a user in the specified group(5) allows the associated right. The shared property specifies whether a credential generated on success is shared with other apps (i.e., those in the same "session"). This property defaults to false if not specified. The timeout property specifies the maximum age of a (cached/shared) credential accepted for this rule. The allow-root property specifies whether a right should be allowed automatically if the requesting process is running with uid == 0. This defaults to false if not specified. See remaining rules for examples. rights class rule comment Matches otherwise unmatched rights (i.e., is a default). rule default com.alf class rule k-of-n 1 rule is-admin default timeout 300 com.apple. rule default com.apple.CoreRAID.admin allow-root class user comment Used by CoreRAID to allow access to administration functions of RAID devices group admin shared com.apple.Safari.parental-controls allow-root class user comment Checked when changing parental controls for Safari. group admin shared timeout 0 com.apple.activitymonitor.kill class user comment Used by Activity Monitor to authorize killing processes not owned by the user. group admin shared timeout 0 com.apple.appserver.privilege.admin class rule comment For administrative access to the Application Server management tool. rule appserver-admin com.apple.appserver.privilege.user class rule comment For user access to the Application Server management tool. k-of-n 1 rule appserver-admin appserver-user com.apple.builtin.confirm-access class evaluate-mechanisms mechanisms builtin:confirm-access tries 1 com.apple.builtin.confirm-access-password class evaluate-mechanisms mechanisms builtin:confirm-access-password com.apple.builtin.generic-new-passphrase class evaluate-mechanisms mechanisms builtin:generic-new-passphrase com.apple.builtin.generic-unlock class evaluate-mechanisms mechanisms builtin:generic-unlock com.apple.dashboard.advisory.allow class user group admin shared timeout 300 com.apple.desktopservices class user comment For privileged file operations from within the Finder. group admin shared timeout 0 com.apple.docset.install class user comment Used by Xcode to restrict access to a daemon it uses to install and update documentation sets. group admin shared com.apple.server.admin.streaming allow-root class user comment For making administrative requests to the QuickTime Streaming Server. group admin shared timeout 0 com.apple.trust-settings.admin allow-root class user comment For modifying Trust Settings in the Local Admin domain. group admin com.apple.trust-settings.user comment For modifying per-user Trust Settings. rule authenticate-session-owner config.add. class allow comment Wildcard right for adding rights. Anyone is allowed to add any (non-wildcard) rights. config.config. class deny comment Wildcard right for any change to meta-rights for db modification. Not allowed programmatically (just edit this file). config.modify. class rule comment Wildcard right for modifying rights. Admins are allowed to modify any (non-wildcard) rights. Root does not require authentication. k-of-n 1 rule is-root authenticate-admin config.remove. class rule comment Wildcard right for deleting rights. Admins are allowed to delete any (non-wildcard) rights. Root does not require authentication. k-of-n 1 rule is-root authenticate-admin config.remove.system. class deny comment Wildcard right for deleting system rights. sys.openfile. class user comment See authopen(1) for information on the use of this right. group admin shared timeout 300 system. rule default system.burn class allow comment For burning media. system.device.dvd.setregion.initial class user comment Used by the DVD player to set the region code the first time. Note that changing the region code after it has been set requires a different right (system.device.dvd.setregion.change). group admin shared system.global-login-items. class rule k-of-n 1 rule is-admin default system.identity.write. class rule comment For creating, changing or deleting local user accounts and groups. k-of-n 1 rule is-admin authenticate-admin system.identity.write.credential class rule comment Checked when changing authentication credentials (password or certificate) for a local user account. rule default system.identity.write.self authenticate-user class user comment Checked when changing authentication credentials (password or certificate) for the current user's account. session-owner system.install.admin.user class user comment Checked when user is installing in admin domain (/Applications). group admin shared timeout 300 system.install.root.admin class user comment Checked when admin is installing in root domain (/System). group admin shared timeout 300 system.install.root.user class user comment Checked when user is installing in root domain (/System). group admin shared timeout 300 system.keychain.create.loginkc allow-root class evaluate-mechanisms comment Used by the Security framework when you add an item to an unconfigured default keychain. mechanisms loginKC:queryCreate loginKC:showPasswordUI authinternal session-owner shared system.keychain.modify class user comment Used by Keychain Access when editing a system keychain. group admin shared timeout 300 system.login.console class evaluate-mechanisms comment Login mechanism based rule. Not for general use, yet. mechanisms builtin:smartcard-sniffer,privileged loginwindow:login builtin:reset-password,privileged builtin:auto-login,privileged builtin:krb5authnoverify,privileged HomeDirMechanism:login,privileged HomeDirMechanism:status MCXMechanism:login loginwindow:success loginwindow:done system.login.done class evaluate-mechanisms mechanisms system.login.screensaver class rule comment The owner or any administrator can unlock the screensaver. rule authenticate-session-owner-or-admin system.login.tty class evaluate-mechanisms mechanisms push_hints_to_context authinternal tries 1 system.preferences allow-root class user comment Checked by the Admin framework when making changes to certain System Preferences. group admin shared system.preferences.accessibility allow-root class user comment Checked by the Admin framework when enabling or disabling the Accessibility APIs. group admin shared timeout 0 system.preferences.accounts allow-root class user comment Checked by the Admin framework when making changes to the Accounts preference pane. group admin shared system.preferences.parental-controls class user comment Checked when making changes to the Parental Controls preference pane. group admin shared system.print.admin class rule k-of-n 1 rule is-lpadmin is-admin default system.printingmanager class rule comment For printing to locked printers. rule authenticate-admin system.privilege.admin allow-root class user comment Used by AuthorizationExecuteWithPrivileges(...). AuthorizationExecuteWithPrivileges() is used by programs requesting to run a tool as root (e.g., some installers). group admin shared timeout 300 system.privilege.taskport allow-root class user comment Used by task_for_pid(...). Task_for_pid is called by programs requesting full control over another program for things like debugging or performance analysis. This authorization only applies if the requesting and target programs are run by the same user; it will never authorize access to the program of another user. group admin shared system.restart class evaluate-mechanisms comment Checked if the foreground console user tries to restart the system while other users are logged in via fast-user switching. mechanisms RestartAuthorization:restart RestartAuthorization:authenticate RestartAuthorization:success system.services.directory.configure allow-root class user comment For making Directory Services changes. group admin shared timeout 300 system.sharepoints. allow-root class user comment Checked when making changes to the Sharepoints. group admin shared system.shutdown class evaluate-mechanisms comment Checked if the foreground console user tries to shut down the system while other users are logged in via fast-user switching. mechanisms RestartAuthorization:shutdown RestartAuthorization:authenticate RestartAuthorization:success rules allow class allow comment Allow anyone. appserver-admin class user group appserveradm appserver-user class user group appserverusr authenticate class evaluate-mechanisms mechanisms builtin:smartcard-sniffer,privileged builtin:authenticate builtin:authenticate,privileged authenticate-admin class user comment Authenticate as an administrator. group admin shared timeout 0 authenticate-session-owner class user comment Authenticate as the session owner. session-owner authenticate-session-owner-or-admin allow-root class user comment Authenticate either as the owner or as an administrator. group admin session-owner shared default class user comment Default rule. Credentials remain valid for 5 minutes after they've been obtained. An acquired credential is shared by all clients. group admin shared timeout 300 is-admin authenticate-user class user comment Verify that the user asking for authorization is an administrator. group admin shared true is-lpadmin authenticate-user class user comment Verify that the user asking for authorization is an lp administrator. group lpadmin is-root allow-root authenticate-user class user comment Verify that the process that created this AuthorizationRef is running as root.