comment The name of the requested right is matched against the keys. An exact match has priority, otherwise the longest match from the start is used. Note that the right will only match wildcard rules (ending in a ".") during this reduction. allow rule: this is always allowed <key>com.apple.TestApp.benign</key> <string>allow</string> deny rule: this is always denied <key>com.apple.TestApp.dangerous</key> <string>deny</string> user rule: successful authentication as a user in the specified group(5) allows the associated right. The shared property specifies whether a credential generated on success is shared with other apps (same "session"). This property defaults to false if not specified. The timeout property specifies the maximum age of a (cached/shared) credential accepted for this rule. The allow-root property specifies whether a right should be allowed automatically if the requesting process is running with uid == 0. This defaults to false if not specified. See remaining rules for examples. rights class rule comment All other rights will be matched by this rule. Credentials remain valid 5 minutes after they've been obtained. An acquired credential is shared amongst all clients. rule default config.add. class allow comment wildcard right for adding rights. Anyone is allowed to add any (non-wildcard) rights config.config. class deny comment wildcard right for any change to meta-rights for db modification. Not allowed programmatically (just edit this file) config.modify. class rule comment wildcard right for modifying rights. Admins are allowed to modify any (non-wildcard) rights rule authenticate-admin config.remove. class rule comment wildcard right for deleting rights. Admins are allowed to delete any (non-wildcard) rights rule authenticate-admin config.remove.system. class deny comment wildcard right for deleting system rights. sys.openfile. class user comment See authopen(1) for information on the use of this right. group admin mechanisms builtin:authenticate shared timeout 300 system.device.dvd.setregion.initial class user comment Used by the dvd player to set the regioncode the first time. Note that changed the region code after it has been set requires a different right (system.device.dvd.setregion.change) Credentials remain valid indefinitely after they've been obtained. An acquired credential is shared amongst all clients. group admin mechanisms builtin:authenticate shared system.login.console class evaluate-mechanisms comment Login mechanism based rule. Not for general use, yet. builtin:krb5authenticate can be used to hinge local authentication on a successful kerberos authentication and kdc verification. builtin:krb5authnoverify skips the kdc verification. Both fall back on local authentication. mechanisms loginwindow_builtin:login authinternal HomeDirMechanism:login MCXMechanism:login loginwindow_builtin:success builtin:getuserinfo builtin:sso loginwindow_builtin:done system.login.done class evaluate-mechanisms comment builtin:krb5login can be used to do kerberos authentication as a side-effect of logging in. Local username/password will be used. mechanisms system.login.pam class evaluate-mechanisms tries 1 mechanisms push_hints_to_context authinternal system.login.screensaver class rule comment the owner as well as any admin can unlock the screensaver;modify the group key to change this. rule authenticate-session-owner-or-admin system.login.tty class evaluate-mechanisms tries 1 mechanisms push_hints_to_context authinternal system.keychain.create.loginkc allow-root class evaluate-mechanisms comment Used by Security framework when you add an item to a unconfigured default keychain mechanisms loginKC:queryCreate loginKC:showPasswordUI authinternal session-owner shared system.keychain.modify class user comment Used by Keychain Access when editing a system keychain. group admin mechanisms builtin:authenticate shared timeout 300 system.preferences allow-root class user comment This right is checked by the Admin framework when making changes to the system preferences. Credentials remain valid forever. An acquired credential is shared amongst all clients. If the proccess that created the AuthorizationRef has uid = 0 this right will automatically be granted. group admin mechanisms builtin:authenticate shared system.printingmanager class rule comment The following right is checked for printing to locked printers. rule authenticate-admin system.privilege.admin allow-root class user comment Used by AuthorizationExecuteWithPrivileges(...) AuthorizationExecuteWithPrivileges is used by programs requesting to run a tool as root (ie. some installers). Credentials remain valid 5 minutes after they've been obtained. An acquired credential isn't shared with other clients. Clients running as root will be granted this right automatically. group admin mechanisms builtin:authenticate shared timeout 300 system.restart class evaluate-mechanisms comment Multisession restart mechanisms mechanisms RestartAuthorization:restart RestartAuthorization:authenticate RestartAuthorization:success system.shutdown class evaluate-mechanisms comment Multisession shutdown mechanisms mechanisms RestartAuthorization:shutdown RestartAuthorization:authenticate RestartAuthorization:success system.burn class allow comment authorization to burn media com.apple.server.admin.streaming class user comment Used for admin requests with the QuickTime Streaming Server. group admin shared allow-root timeout 0 system.install.admin.user class user comment Used by installer tool: user installling in admin domain (/Applications) group admin mechanisms builtin:authenticate shared timeout 300 system.install.root.user class user comment Used by installer tool: user installling in root domain (/System) group admin mechanisms builtin:authenticate shared timeout 300 system.install.root.admin class user comment Used by installer tool: admin installling in root domain (/System) group admin mechanisms builtin:authenticate shared timeout 300 com.apple.appserver.privilege.admin class rule comment Used to determine administrative access to the Application Server management tool. rule appserver-admin com.apple.appserver.privilege.user class rule comment Used to determine user access to the Application Server management tool. k-of-n 1 rule appserver-admin appserver-user com.apple.desktopservices class user comment authorize privileged file operations from the finder group admin mechanisms builtin:authenticate shared timeout 0 com.apple.builtin.generic-new-passphrase class evaluate-mechanisms mechanisms builtin:generic-new-passphrase com.apple.builtin.generic-unlock class evaluate-mechanisms mechanisms builtin:generic-unlock rules allow class allow comment allow anyone authenticate-admin class user comment require the user asking for authorization to authenticate as an admin group admin mechanisms builtin:authenticate shared timeout 0 authenticate-session-owner class user comment authenticate session owner mechanisms builtin:authenticate session-owner authenticate-session-owner-or-admin allow-root class user comment the owner as well as any admin can authorize group admin mechanisms builtin:authenticate session-owner shared is-admin class user comment verify the user asking for authorization is an admin group admin shared true is-root allow-root class user comment verify the process that created this authref is root group nogroup appserver-user class user group appserverusr appserver-admin class user group appserveradm default class user comment All other rights will be matched by this rule. Credentials remain valid 5 minutes after they've been obtained. An acquired credential is shared amongst all clients. group admin mechanisms builtin:authenticate shared timeout 300