comment The name of the requested right is matched against the keys. An exact match has priority, otherwise the longest match from the start is used. Note that the right will only match wildcard rules (ending in a ".") during this reduction. allow rule: this is always allowed <key>com.apple.TestApp.benign</key> <string>allow</string> deny rule: this is always denied <key>com.apple.TestApp.dangerous</key> <string>deny</string> user rule: successful authentication as a user in the specified group(5) allows the associated right. The shared property specifies whether a credential generated on success is shared with other apps (i.e., those in the same "session"). This property defaults to false if not specified. The timeout property specifies the maximum age of a (cached/shared) credential accepted for this rule. The allow-root property specifies whether a right should be allowed automatically if the requesting process is running with uid == 0. This defaults to false if not specified. See remaining rules for examples. rights class rule comment Matches otherwise unmatched rights (i.e., is a default). rule default config.add. class allow comment Wildcard right for adding rights. Anyone is allowed to add any (non-wildcard) rights. config.config. class deny comment Wildcard right for any change to meta-rights for db modification. Not allowed programmatically (just edit this file). config.modify. class rule comment Wildcard right for modifying rights. Admins are allowed to modify any (non-wildcard) rights. Root does not require authentication. k-of-n 1 rule is-root authenticate-admin config.remove. class rule comment Wildcard right for deleting rights. Admins are allowed to delete any (non-wildcard) rights. Root does not require authentication. k-of-n 1 rule is-root authenticate-admin config.remove.system. class deny comment Wildcard right for deleting system rights. com.apple. rule default system. rule default sys.openfile. class user comment See authopen(1) for information on the use of this right. group admin shared timeout 300 system.device.dvd.setregion.initial class user comment Used by the DVD player to set the region code the first time. Note that changing the region code after it has been set requires a different right (system.device.dvd.setregion.change). group admin shared system.login.console class evaluate-mechanisms comment Login mechanism based rule. Not for general use, yet. mechanisms builtin:smartcard-sniffer,privileged loginwindow:login builtin:reset-password,privileged builtin:auto-login,privileged builtin:authenticate,privileged HomeDirMechanism:login,privileged HomeDirMechanism:status MCXMechanism:login loginwindow:success loginwindow:done system.login.done class evaluate-mechanisms mechanisms system.login.screensaver class rule comment The owner or any administrator can unlock the screensaver. rule authenticate-session-owner-or-admin system.login.tty class evaluate-mechanisms tries 1 mechanisms push_hints_to_context authinternal system.keychain.create.loginkc allow-root class evaluate-mechanisms comment Used by the Security framework when you add an item to an unconfigured default keychain. mechanisms loginKC:queryCreate loginKC:showPasswordUI authinternal session-owner shared system.keychain.modify class user comment Used by Keychain Access when editing a system keychain. group admin shared timeout 300 system.preferences allow-root class user comment Checked by the Admin framework when making changes to certain System Preferences. group admin shared system.preferences.accounts allow-root class user comment Checked by the Admin framework when making changes to the Accounts preference pane. group admin shared system.preferences.parental-controls class user comment Checked when making changes to the Parental Controls preference pane. group admin shared system.preferences.accessibility allow-root class user comment Checked by the Admin framework when enabling or disabling the Accessibility APIs. group admin shared timeout 0 system.printingmanager class rule comment For printing to locked printers. rule authenticate-admin system.print.admin allow-root class user group _lpadmin shared system.identity.write. class rule comment For creating, changing or deleting local user accounts and groups. k-of-n 1 rule is-admin authenticate-admin system.identity.write.credential class rule comment Checked when changing authentication credentials (password or certificate) for a local user account. rule default system.identity.write.self class user comment Checked when changing authentication credentials (password or certificate) for the current user's account. authenticate-user session-owner system.global-login-items. class rule k-of-n 1 rule is-admin default system.sharepoints. allow-root class user comment Checked when making changes to the Sharepoints. group admin shared com.apple.activitymonitor.kill class user comment Used by Activity Monitor to authorize killing processes not owned by the user. group admin shared timeout 0 com.apple.Safari.parental-controls allow-root class user comment Checked when changing parental controls for Safari. group admin shared timeout 0 com.apple.docset.install class user comment Used by Xcode to restrict access to a daemon it uses to install and update documentation sets. group admin shared system.privilege.admin allow-root class user comment Used by AuthorizationExecuteWithPrivileges(...). AuthorizationExecuteWithPrivileges() is used by programs requesting to run a tool as root (e.g., some installers). group admin shared timeout 300 system.privilege.taskport allow-root class user comment Used by task_for_pid(...). Task_for_pid is called by programs requesting full control over another program for things like debugging or performance analysis. This authorization only applies if the requesting and target programs are run by the same user; it will never authorize access to the program of another user. group admin shared system.restart class evaluate-mechanisms comment Checked if the foreground console user tries to restart the system while other users are logged in via fast-user switching. mechanisms RestartAuthorization:restart RestartAuthorization:authenticate RestartAuthorization:success system.shutdown class evaluate-mechanisms comment Checked if the foreground console user tries to shut down the system while other users are logged in via fast-user switching. mechanisms RestartAuthorization:shutdown RestartAuthorization:authenticate RestartAuthorization:success system.burn class allow comment For burning media. system.services.directory.configure class user group admin allow-root shared timeout 300 comment For making Directory Services changes. com.apple.server.admin.streaming class user comment For making administrative requests to the QuickTime Streaming Server. group admin shared allow-root timeout 0 com.apple.trust-settings.admin comment For modifying Trust Settings in the Local Admin domain. allow-root class user group admin com.apple.trust-settings.user rule authenticate-session-owner comment For modifying per-user Trust Settings. system.install.admin.user class user comment Checked when user is installing in admin domain (/Applications). group admin shared timeout 300 system.install.root.user class user comment Checked when user is installing in root domain (/System). group admin shared timeout 300 system.install.root.admin class user comment Checked when admin is installing in root domain (/System). group admin shared timeout 300 com.apple.appserver.privilege.admin class rule comment For administrative access to the Application Server management tool. rule appserver-admin com.apple.appserver.privilege.user class rule comment For user access to the Application Server management tool. k-of-n 1 rule appserver-admin appserver-user com.apple.dashboard.advisory.allow class user group admin shared timeout 300 com.apple.desktopservices class user comment For privileged file operations from within the Finder. group admin shared timeout 0 com.apple.builtin.generic-new-passphrase class evaluate-mechanisms mechanisms builtin:generic-new-passphrase com.apple.builtin.generic-unlock class evaluate-mechanisms mechanisms builtin:generic-unlock com.apple.builtin.confirm-access class evaluate-mechanisms tries 1 mechanisms builtin:confirm-access com.apple.builtin.confirm-access-password class evaluate-mechanisms mechanisms builtin:confirm-access-password rules allow class allow comment Allow anyone. authenticate-admin class user comment Authenticate as an administrator. group admin shared timeout 0 authenticate-session-owner class user comment Authenticate as the session owner. session-owner authenticate-session-owner-or-admin allow-root class user comment Authenticate either as the owner or as an administrator. group admin session-owner shared is-admin class user comment Verify that the user asking for authorization is an administrator. group admin authenticate-user shared true is-root allow-root class user authenticate-user comment Verify that the process that created this AuthorizationRef is running as root. appserver-user class user group appserverusr appserver-admin class user group appserveradm default class user comment Default rule. Credentials remain valid for 5 minutes after they've been obtained. An acquired credential is shared by all clients. group admin shared timeout 300 authenticate class evaluate-mechanisms mechanisms builtin:smartcard-sniffer,privileged builtin:authenticate builtin:authenticate,privileged