comment The name of the requested right is matched against the keys. An exact match has priority, otherwise the longest match from the start is used. Note that the right will only match wildcard rules (ending in a ".") during this reduction. allow rule: this is always allowed <key>com.apple.TestApp.benign</key> <string>allow</string> deny rule: this is always denied <key>com.apple.TestApp.dangerous</key> <string>deny</string> user rule: successful authentication as a user in the specified group(5) allows the associated right. The shared property specifies whether a credential generated on success is shared with other apps (same "session"). This property defaults to false if not specified. The timeout property specifies the maximum age of a (cached/shared) credential accepted for this rule. The allow-root property specifies whether a right should be allowed automatically if the requesting process is running with uid == 0. This defaults to false if not specified. See remaining rules for examples. rights class rule comment All other rights will be matched by this rule. rule default config.add. class allow comment wildcard right for adding rights. Anyone is allowed to add any (non-wildcard) rights config.config. class deny comment wildcard right for any change to meta-rights for db modification. Not allowed programmatically (just edit this file) config.modify. class rule comment wildcard right for modifying rights. Admins are allowed to modify any (non-wildcard) rights. Root does not require authentication. k-of-n 1 rule is-root authenticate-admin config.remove. class rule comment wildcard right for deleting rights. Admins are allowed to delete any (non-wildcard) rights. Root does not require authentication. k-of-n 1 rule is-root authenticate-admin config.remove.system. class deny comment wildcard right for deleting system rights. sys.openfile. class user comment See authopen(1) for information on the use of this right. group admin shared timeout 300 system.device.dvd.setregion.initial class user comment Used by the dvd player to set the regioncode the first time. Note that changed the region code after it has been set requires a different right (system.device.dvd.setregion.change) Credentials remain valid indefinitely after they've been obtained. An acquired credential is shared amongst all clients. group admin shared system.login.console class evaluate-mechanisms comment Login mechanism based rule. Not for general use, yet. builtin:krb5authenticate can be used to hinge local authentication on a successful kerberos authentication and kdc verification. builtin:krb5authnoverify skips the kdc verification. Both fall back on local authentication. mechanisms builtin:auto-login,privileged loginwindow_builtin:login builtin:reset-password,privileged authinternal builtin:getuserinfo,privileged builtin:sso,privileged HomeDirMechanism:login,privileged HomeDirMechanism:status MCXMechanism:login loginwindow_builtin:success loginwindow_builtin:done system.login.done class evaluate-mechanisms comment builtin:krb5login can be used to do kerberos authentication as a side-effect of logging in. Local username/password will be used. mechanisms system.login.pam class evaluate-mechanisms tries 1 mechanisms push_hints_to_context authinternal system.login.screensaver class rule comment the owner as well as any admin can unlock the screensaver;modify the group key to change this. rule authenticate-session-owner-or-admin system.login.tty class evaluate-mechanisms tries 1 mechanisms push_hints_to_context authinternal system.keychain.create.loginkc allow-root class evaluate-mechanisms comment Used by Security framework when you add an item to a unconfigured default keychain mechanisms loginKC:queryCreate loginKC:showPasswordUI authinternal session-owner shared system.keychain.modify class user comment Used by Keychain Access when editing a system keychain. group admin shared timeout 300 system.preferences allow-root class user comment This right is checked by the Admin framework when making changes to the system preferences. group admin shared system.preferences.accounts allow-root class user comment This right is checked by the Admin framework when making changes to the accounts preference pane group admin shared system.printingmanager class rule comment The following right is checked for printing to locked printers. rule authenticate-admin system.preferences.accessibility allow-root class user comment This right is checked by the Admin framework when enabling or disabling the Accessibility APIs group admin shared timeout 0 com.apple.activitymonitor.kill class user comment Used by Activity Monitor to authorize killing processes not owned by the user group admin shared timeout 0 com.apple.Safari.parental-controls allow-root class user comment This right is checked when changing parental controls for Safari group admin shared timeout 0 system.privilege.admin allow-root class user comment Used by AuthorizationExecuteWithPrivileges(...) AuthorizationExecuteWithPrivileges is used by programs requesting to run a tool as root (ie. some installers). Credentials remain valid 5 minutes after they've been obtained. An acquired credential isn't shared with other clients. Clients running as root will be granted this right automatically. group admin shared timeout 300 system.restart class evaluate-mechanisms comment Multisession restart mechanisms mechanisms RestartAuthorization:restart RestartAuthorization:authenticate RestartAuthorization:success system.shutdown class evaluate-mechanisms comment Multisession shutdown mechanisms mechanisms RestartAuthorization:shutdown RestartAuthorization:authenticate RestartAuthorization:success system.burn class allow comment authorization to burn media system.services.directory.configure class user group admin allow-root shared timeout 300 comment authorization to make directory service changes com.apple.server.admin.streaming class user comment Used for admin requests with the QuickTime Streaming Server. group admin shared allow-root timeout 0 system.install.admin.user class user comment Used by installer tool: user installling in admin domain (/Applications) group admin shared timeout 300 system.install.root.user class user comment Used by installer tool: user installling in root domain (/System) group admin shared timeout 300 system.install.root.admin class user comment Used by installer tool: admin installling in root domain (/System) group admin shared timeout 300 com.apple.appserver.privilege.admin class rule comment Used to determine administrative access to the Application Server management tool. rule appserver-admin com.apple.appserver.privilege.user class rule comment Used to determine user access to the Application Server management tool. k-of-n 1 rule appserver-admin appserver-user com.apple.desktopservices class user comment authorize privileged file operations from the finder group admin shared timeout 0 com.apple.builtin.generic-new-passphrase class evaluate-mechanisms mechanisms builtin:generic-new-passphrase com.apple.builtin.generic-unlock class evaluate-mechanisms mechanisms builtin:generic-unlock com.apple.builtin.confirm-access class evaluate-mechanisms mechanisms builtin:confirm-access com.apple.builtin.confirm-access-password class evaluate-mechanisms mechanisms builtin:confirm-access-password rules allow class allow comment allow anyone authenticate-admin class user comment require the user asking for authorization to authenticate as an admin group admin shared timeout 0 authenticate-session-user class user comment authenticate session owner session-owner authenticate-session-owner class user comment authenticate session owner session-owner authenticate-session-owner-or-admin allow-root class user comment the owner as well as any admin can authorize group admin session-owner shared is-admin class user comment verify the user asking for authorization is an admin group admin authenticate-user shared true is-root allow-root class user authenticate-user comment verify the process that created this authref is root appserver-user class user group appserverusr appserver-admin class user group appserveradm default class user comment All other rights will be matched by this rule. Credentials remain valid 5 minutes after they've been obtained. An acquired credential is shared amongst all clients. group admin shared timeout 300 authenticate class evaluate-mechanisms mechanisms builtin:authenticate authinternal