comment The name of the requested right is matched against the keys. An exact match has priority, otherwise the longest match from the start is used. Note that the right will only match wildcard rules (ending in a ".") during this reduction. allow rule: this is always allowed <key>com.apple.TestApp.benign</key> <string>allow</string> deny rule: this is always denied <key>com.apple.TestApp.dangerous</key> <string>deny</string> user rule: successful authentication as a user in the specified group(5) allows the associated right. The shared property specifies whether a credential generated on success is shared with other apps (same "session"). This property defaults to false if not specified. The timeout property specifies the maximum age of a (cached/shared) credential accepted for this rule. The allow-root property specifies whether a right should be allowed automatically if the requesting process is running with uid == 0. This defaults to false if not specified. See remaining rules for examples. rights class rule comment All other rights will be matched by this rule. rule default com.apple. rule default com.apple.Safari.parental-controls allow-root class user comment This right is checked when changing parental controls for Safari group admin shared timeout 0 com.apple.activitymonitor.kill class user comment Used by Activity Monitor to authorize killing processes not owned by the user group admin shared timeout 0 com.apple.airport.allow.computer-to-computer class rule comment Whether AirPort interactions are allowed or not k-of-n 1 rule is-admin allow com.apple.airport.allow.network.change class rule comment Whether AirPort interactions are allowed or not k-of-n 1 rule is-admin allow com.apple.appserver.privilege.admin class rule comment Used to determine administrative access to the Application Server management tool. rule appserver-admin com.apple.appserver.privilege.user class rule comment Used to determine user access to the Application Server management tool. k-of-n 1 rule appserver-admin appserver-user com.apple.builtin.confirm-access class evaluate-mechanisms mechanisms builtin:confirm-access com.apple.builtin.confirm-access-password class evaluate-mechanisms mechanisms builtin:confirm-access-password com.apple.builtin.generic-new-passphrase class evaluate-mechanisms mechanisms builtin:generic-new-passphrase com.apple.builtin.generic-unlock class evaluate-mechanisms mechanisms builtin:generic-unlock com.apple.chud.io.read allow-root class user comment Used to allow admin reading of I/O space via the CHUD framework group admin timeout 3600 com.apple.chud.io.write allow-root class user comment Used to allow admin writing of I/O space via the CHUD framework group admin timeout 3600 com.apple.chud.pci.read allow-root class allow comment Used to allow user reading of the PCI configuration space via the CHUD framework timeout 3600 com.apple.chud.pci.write allow-root class user comment Used to allow admin writing of PCI configuration space via the CHUD framework group admin timeout 3600 com.apple.chud.physmem allow-root class user comment Used to allow admin access to physical memory addresses via the CHUD framework group admin timeout 3600 com.apple.chud.spr.read allow-root class allow comment Used to allow user reading of CPU special purpose registers via the CHUD framework timeout 3600 com.apple.chud.spr.write allow-root class user comment Used to allow admin writing of CPU special purpose registers via the CHUD framework group admin timeout 3600 com.apple.dashboard.advisory.allow class user group admin shared timeout 300 com.apple.desktopservices class user comment authorize privileged file operations from the finder group admin shared timeout 0 com.apple.server.admin.streaming allow-root class user comment Used for admin requests with the QuickTime Streaming Server. group admin shared timeout 0 config.add. class allow comment wildcard right for adding rights. Anyone is allowed to add any (non-wildcard) rights config.config. class deny comment wildcard right for any change to meta-rights for db modification. Not allowed programmatically (just edit this file) config.modify. class rule comment wildcard right for modifying rights. Admins are allowed to modify any (non-wildcard) rights. Root does not require authentication. k-of-n 1 rule is-root authenticate-admin config.remove. class rule comment wildcard right for deleting rights. Admins are allowed to delete any (non-wildcard) rights. Root does not require authentication. k-of-n 1 rule is-root authenticate-admin config.remove.system. class deny comment wildcard right for deleting system rights. sys.openfile. class user comment See authopen(1) for information on the use of this right. group admin shared timeout 300 system. rule default system.burn class allow comment authorization to burn media system.device.dvd.setregion.initial class user comment Used by the dvd player to set the regioncode the first time. Note that changed the region code after it has been set requires a different right (system.device.dvd.setregion.change) Credentials remain valid indefinitely after they've been obtained. An acquired credential is shared amongst all clients. group admin shared system.install.admin.user class user comment Used by installer tool: user installling in admin domain (/Applications) group admin shared timeout 300 system.install.root.admin class user comment Used by installer tool: admin installling in root domain (/System) group admin shared timeout 300 system.install.root.user class user comment Used by installer tool: user installling in root domain (/System) group admin shared timeout 300 system.keychain.create.loginkc allow-root class evaluate-mechanisms comment Used by Security framework when you add an item to a unconfigured default keychain mechanisms loginKC:queryCreate loginKC:showPasswordUI authinternal session-owner shared system.keychain.modify class user comment Used by Keychain Access when editing a system keychain. group admin shared timeout 300 system.login.console class evaluate-mechanisms comment Login mechanism based rule. Not for general use, yet. builtin:krb5authenticate can be used to hinge local authentication on a successful kerberos authentication and kdc verification. builtin:krb5authnoverify skips the kdc verification. Both fall back on local authentication. mechanisms builtin:auto-login,privileged builtin:smartcard-sniffer,privileged loginwindow_builtin:login builtin:reset-password,privileged builtin:authenticate,privileged builtin:getuserinfo,privileged builtin:sso,privileged HomeDirMechanism:login,privileged HomeDirMechanism:status MCXMechanism:login loginwindow_builtin:success loginwindow_builtin:done system.login.done class evaluate-mechanisms comment builtin:krb5login can be used to do kerberos authentication as a side-effect of logging in. Local username/password will be used. mechanisms system.login.pam class evaluate-mechanisms mechanisms push_hints_to_context authinternal tries 1 system.login.screensaver class rule comment the owner as well as any admin can unlock the screensaver;modify the group key to change this. rule authenticate-session-owner-or-admin system.login.tty class evaluate-mechanisms mechanisms push_hints_to_context authinternal tries 1 system.preferences allow-root class user comment This right is checked by the Admin framework when making changes to the system preferences. group admin shared system.preferences.accessibility allow-root class user comment This right is checked by the Admin framework when enabling or disabling the Accessibility APIs group admin shared timeout 0 system.preferences.accounts allow-root class user comment This right is checked by the Admin framework when making changes to the accounts preference pane group admin shared system.printingmanager class rule comment The following right is checked for printing to locked printers. rule authenticate-admin system.privilege.admin allow-root class user comment Used by AuthorizationExecuteWithPrivileges(...) AuthorizationExecuteWithPrivileges is used by programs requesting to run a tool as root (ie. some installers). Credentials remain valid 5 minutes after they've been obtained. An acquired credential isn't shared with other clients. Clients running as root will be granted this right automatically. group admin shared timeout 300 system.restart class evaluate-mechanisms comment Multisession restart mechanisms mechanisms RestartAuthorization:restart RestartAuthorization:authenticate RestartAuthorization:success system.services.directory.configure allow-root class user comment authorization to make directory service changes group admin shared timeout 300 system.shutdown class evaluate-mechanisms comment Multisession shutdown mechanisms mechanisms RestartAuthorization:shutdown RestartAuthorization:authenticate RestartAuthorization:success rules allow class allow comment allow anyone appserver-admin class user group appserveradm appserver-user class user group appserverusr authenticate class evaluate-mechanisms mechanisms builtin:smartcard-sniffer,privileged builtin:authenticate builtin:authenticate,privileged authenticate-admin class user comment require the user asking for authorization to authenticate as an admin group admin shared timeout 0 authenticate-session-owner class user comment authenticate session owner session-owner authenticate-session-owner-or-admin allow-root class user comment the owner as well as any admin can authorize group admin session-owner shared authenticate-session-user class user comment authenticate session owner session-owner default class user comment All other rights will be matched by this rule. Credentials remain valid 5 minutes after they've been obtained. An acquired credential is shared amongst all clients. group admin shared timeout 300 is-admin authenticate-user class user comment verify the user asking for authorization is an admin group admin shared true is-root allow-root authenticate-user class user comment verify the process that created this authref is root