krypted.com

Tiny Deathstars of Foulness

The authorizationdb in macOS defines rules around who can do which tasks in macOS. These are per domain and the structure is similar to how preferences domains work. You can easily read domains using the security command followed by the authorizationdb key and the read verb, followed by the domain. In the following example, we’ll read the admin domain:

security authorizationdb read admin

You can then use this same command structure for all domains. The keys for each rights domain are as follows:

admin

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

allow

<dict>
<key>class</key>
<string>allow</string>
<key>comment</key>
<string>Allow anyone.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>version</key>
<integer>0</integer>
</dict>

app-specific-admin

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

appserver-admin

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>appserveradm</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

appserver-user

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>appserverusr</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

authenticate

<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>builtin:authenticate</string>
<string>builtin:reset-password,privileged</string>
<string>builtin:authenticate,privileged</string>
<string>PKINITMechanism:auth,privileged</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

authenticate-admin

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Authenticate as an administrator.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>0</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

authenticate-admin-30

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Like the default rule, but
credentials remain valid for only 30 seconds after they’ve
been obtained. An acquired credential is shared by all clients.
</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>30</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

authenticate-admin-extract

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Authenticate as an administrator + allow password extraction.</string>
<key>created</key>
<real>538029218.67258</real>
<key>extract-password</key>
<true/>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>password-only</key>
<true/>
<key>require-apple-signed</key>
<true/>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>0</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>1</integer>
</dict>

authenticate-admin-nonshared

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Authenticate as an administrator.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>30</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>1</integer>
</dict>

authenticate-admin-or-staff-extract

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>authenticate-admin-extract</string>
<string>authenticate-staff-extract</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

authenticate-appstore-30

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>_appstore</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>30</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

authenticate-developer

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Authenticate as a developer.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>_developer</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>36000</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

authenticate-session-owner

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Authenticate as the session owner.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

authenticate-session-owner-or-admin

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Authenticate either as the owner or as an administrator.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

authenticate-session-user

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Same as authenticate-session-owner.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

authenticate-staff-extract

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Authenticate as group staff + allow password to be extracted.</string>
<key>created</key>
<real>538029218.67258</real>
<key>extract-password</key>
<true/>
<key>group</key>
<string>staff</string>
<key>modified</key>
<real>538029218.67258</real>
<key>password-only</key>
<true/>
<key>require-apple-signed</key>
<true/>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>0</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>1</integer>
</dict>

authenticate-staff-extract-context

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>2</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>authenticate-staff-extract</string>
<string>localauthentication-context</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

authenticate-webdeveloper

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Authenticate as a web developer.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>_webdeveloper</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>36000</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>default</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.AOSNotification.FindMyMac.modify

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>is-admin</string>
<string>default</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.AOSNotification.FindMyMac.remove

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.CoreRAID.admin

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Used by CoreRAID to allow access to administration functions of RAID devices</string>
<key>created</key>
<real>538029219.97001803</real>
<key>identifier</key>
<string>com.apple.CoreRAIDServer</string>
<key>modified</key>
<real>538029219.97001803</real>
<key>requirement</key>
<string>identifier “com.apple.CoreRAIDServer” and anchor apple</string>
<key>rule</key>
<array>
<string>root-or-entitled-admin-or-authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.DiskManagement.

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Used by diskmanagementd to allow access to its privileged functions</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>is-admin</string>
<string>on-console</string>
<string>default</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.DiskManagement.internal.

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Used by diskmanagementd to allow access to its privileged functions</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>is-admin</string>
<string>default</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.DiskManagement.reserveKEK

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Used by diskmanagementd to allow use of the reserve KEK.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.KerberosAgent

<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Used to acquire Kerberos credentials.</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>KerberosAgent:kerberos-dialog</string>
<string>KerberosAgent:kerberos-authenticate,privileged</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.OpenScripting.additions.send

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Used to send restricted scripting addition commands to processes that require authorization to handle the events.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.ReportPanic.fixRight

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>require-apple-signed</key>
<true/>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>10</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.Safari.allow-apple-events-to-run-javascript

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>This right is used by Safari to allow Apple Events to run JavaScript on web pages.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.Safari.allow-javascript-in-smart-search-field

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>This right is used by Safari to allow JavaScript to be used in the Smart Search Field.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.Safari.allow-unsigned-app-extensions

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>This right is used by Safari to allow unsigned extensions in the Develop Menu.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.Safari.install-ephemeral-extensions

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>This is the right used by Safari to install an ephemeral extension without a developer certificate present.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>0</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.Safari.parental-controls

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Checked when changing parental controls for Safari.</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-admin</string>
<string>authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.Safari.show-credit-card-numbers

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>This right is used by Safari to show credit card numbers.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>10</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.Safari.show-passwords

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>This right is used by Safari to show passwords.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>10</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.ServiceManagement.blesshelper

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Used by the ServiceManagement framework to add a privileged helper tool to the system launchd.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>30</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>1</integer>
</dict>
</plist>

com.apple.ServiceManagement.daemons.modify

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Used by the ServiceManagement framework to make changes to the system launchd’s set of daemons.</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>entitled-admin-or-authenticate-admin-nonshared</string>
</array>
<key>version</key>
<integer>1</integer>
</dict>

com.apple.SoftwareUpdate.modify-settings

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Checked by the Admin framework when making changes to the Software Update preference pane.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>root-or-entitled-admin-or-app-specific-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.SoftwareUpdate.scan

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Checked when user is updating software.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>root-or-entitled-admin-or-authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.XType.fontmover.install

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>300</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.XType.fontmover.remove

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>300</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.XType.fontmover.restore

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>root-or-entitled-admin-or-authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.activitymonitor.kill

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Used by Activity Monitor to authorize killing processes not owned by the user.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled-admin-or-authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.appserver.privilege.admin

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>For administrative access to the Application Server management tool.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>appserver-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.appserver.privilege.user

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>For user access to the Application Server management tool.</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>appserver-admin</string>
<string>appserver-user</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.builtin.confirm-access

<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>builtin:confirm-access</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>1</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.builtin.confirm-access-password

<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>builtin:confirm-access-password</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.builtin.generic-new-passphrase

<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>builtin:generic-new-passphrase</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.builtin.generic-unlock

<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>builtin:generic-unlock</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.builtin.sc-kc-new-passphrase

<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>builtin:generic-new-passphrase</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.configurationprofiles.userprofile.trustcert

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Install user configuration profile with certificate requiring trust change.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>authenticate-session-owner-or-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.container-repair

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>30</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.ctk.pair

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>kcunlock</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.ctkbind.admin

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.dashboard.advisory.allow

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>300</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.desktopservices

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>For privileged file operations from within the Finder.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>0</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.desktopservices.scripted

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>For scripting-initiated privileged file operations from within the Finder.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>0</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.docset.install

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Used by Xcode to restrict access to a daemon it uses to install and update documentation sets.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.dt.Xcode.LicenseAgreementXPCServiceRights

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Xcode FLE rights</string>
<key>created</key>
<real>538936495.48300803</real>
<key>default-prompt</key>
<dict>
<key>en</key>
<string>In order to accept the license or install components, Xcode needs to acquire admin privileges.</string>
</dict>
<key>group</key>
<string>admin</string>
<key>identifier</key>
<string>com.apple.dt.Xcode</string>
<key>modified</key>
<real>538936495.48300803</real>
<key>requirement</key>
<string>(anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or anchor apple) and identifier “com.apple.dt.Xcode”</string>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.familycontrols.loginwindow.override

<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>This right is checked when overriding a parental control restriction</string>
<key>created</key>
<real>538029866.46782303</real>
<key>identifier</key>
<string>com.apple.parentalcontrolsd</string>
<key>mechanisms</key>
<array>
<string>FamilyControls:invoke</string>
<string>FamilyControls:authenticate</string>
<string>FamilyControls:success</string>
</array>
<key>modified</key>
<real>538029866.46782303</real>
<key>requirement</key>
<string>identifier “com.apple.parentalcontrolsd” and anchor apple</string>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.familycontrols.override

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>This right is checked when overriding parental controls from a user account</string>
<key>created</key>
<real>538029866.37611794</real>
<key>group</key>
<string>admin</string>
<key>identifier</key>
<string>com.apple.parentalcontrolsd</string>
<key>modified</key>
<real>538029866.37611794</real>
<key>requirement</key>
<string>identifier “com.apple.parentalcontrolsd” and anchor apple</string>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>5</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.iBooksX.ParentalControl

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked when making changes to the Parental Controls for iBooks.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.icloud.passwordreset

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Authenticate as the session owner to reset iCloud password</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>password-only</key>
<true/>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>0</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>1</integer>
</dict>

com.apple.library-repair

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.lldb.LaunchUsingXPC

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.opendirectoryd.linkidentity

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled-session-owner-or-authenticate-session-owner</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.pf.rule

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>0</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.safaridriver.allow

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>This right is used by safaridriver to allow running it.</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-admin</string>
<string>is-webdeveloper</string>
<string>authenticate-webdeveloper</string>
</array>
<key>version</key>
<integer>1</integer>
</dict>

com.apple.security.assessment.update

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>root-or-entitled-admin-or-authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.security.sudo

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>2</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled</string>
<string>authenticate-session-owner</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.security.syntheticinput

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>authenticate-session-owner</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.server.admin.streaming

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>For making administrative requests to the QuickTime Streaming Server.</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-admin</string>
<string>authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.trust-settings.admin

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>For modifying Trust Settings in the Local Admin domain.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.trust-settings.user

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>For modifying Trust Settings in the Local Admin domain.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.uninstalld.uninstall

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled-admin-or-authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

com.apple.wifi

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>For restricting WiFi control</string>
<key>created</key>
<real>538029219.51006806</real>
<key>identifier</key>
<string>com.apple.airport.airportd</string>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>560372456.43442702</real>
<key>requirement</key>
<string>identifier “com.apple.airport.airportd” and anchor apple</string>
<key>rule</key>
<array>
<string>entitled</string>
<string>is-admin</string>
<string>is-root</string>
<string>default</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

config.add.

<dict>
<key>class</key>
<string>allow</string>
<key>comment</key>
<string>Wildcard right for adding rights. Anyone is allowed to add any (non-wildcard) rights.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>version</key>
<integer>0</integer>
</dict>

config.config.

<dict>
<key>class</key>
<string>deny</string>
<key>comment</key>
<string>Wildcard right for any change to meta-rights for db modification. Not allowed programmatically (just edit this file).</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>version</key>
<integer>0</integer>
</dict>

config.modify.

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Wildcard right for modifying rights. Admins are allowed to modify any (non-wildcard) rights. Root does not require authentication.</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

config.remove.

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Wildcard right for deleting rights. Admins are allowed to delete any (non-wildcard) rights. Root does not require authentication.</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

config.remove.system.

<dict>
<key>class</key>
<string>deny</string>
<key>comment</key>
<string>Wildcard right for deleting system rights.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>version</key>
<integer>0</integer>
</dict>

default

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Default rule.
Credentials remain valid for 5 minutes after they’ve been obtained.
An acquired credential is shared by all clients.
</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>300</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

entitled

<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>builtin:entitled,privileged</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>1</integer>
<key>version</key>
<integer>0</integer>
</dict>

entitled-admin

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>2</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-admin</string>
<string>entitled</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

entitled-admin-nonshared

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>2</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-admin-nonshared</string>
<string>entitled</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

entitled-admin-or-authenticate-admin

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled-admin</string>
<string>authenticate-admin-30</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

entitled-admin-or-authenticate-admin-nonshared

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled-admin-nonshared</string>
<string>authenticate-admin-nonshared</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

entitled-appstore

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>2</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-appstore</string>
<string>entitled</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

entitled-appstore-or-entitled-authenticate-appstore

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled-appstore</string>
<string>entitled-authenticate-appstore</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

entitled-authenticate-admin

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>2</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled</string>
<string>authenticate-admin-30</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

entitled-authenticate-appstore

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>2</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled</string>
<string>authenticate-appstore-30</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

entitled-session-owner

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>2</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-session-owner</string>
<string>entitled</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

entitled-session-owner-or-authenticate-session-owner

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled-session-owner</string>
<string>authenticate-session-owner</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

is-admin

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<false/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Verify that the user asking for authorization is an administrator.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

is-admin-nonshared

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<false/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Verify that the user asking for authorization is an administrator – nonshared right.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

is-appstore

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<false/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>_appstore</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

is-developer

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<false/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Verify that the user asking for authorization is a developer.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>_developer</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

is-lpadmin

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<false/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>_lpadmin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

is-root

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<false/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Verify that the process that created this AuthorizationRef is running as root.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

is-session-owner

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<false/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Verify that the requesting process is running as the session owner.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

is-webdeveloper

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<false/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Verify that the user asking for authorization is a web developer.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>_webdeveloper</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

kcunlock

<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>created</key>
<real>538029218.67258</real>
<key>extract-password</key>
<true/>
<key>mechanisms</key>
<array>
<string>builtin:unlock-keychain</string>
<string>builtin:kc-verify,privileged</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>1</integer>
</dict>

localauthentication-context

<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Used by LocalAuthentication to pass externalized context.</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>LocalAuthentication:context</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

lpadmin

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>_lpadmin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

on-console

<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>builtin:on-console</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>1</integer>
<key>version</key>
<integer>0</integer>
</dict>

root-or-entitled-admin-or-admin

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>entitled-admin</string>
<string>admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

root-or-entitled-admin-or-app-specific-admin

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>entitled-admin</string>
<string>app-specific-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

root-or-entitled-admin-or-authenticate-admin

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>entitled-admin-or-authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

root-or-lpadmin

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>is-lpadmin</string>
<string>lpadmin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

sys.openfile.

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>See authopen(1) for information on the use of this right.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>300</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>default</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

system.burn

<dict>
<key>class</key>
<string>allow</string>
<key>comment</key>
<string>For burning media.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>version</key>
<integer>0</integer>
</dict>

system.csfde.requestpassword

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Used by CoreStorage Full Disk Encryption to request the user’s password.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>authenticate-admin-or-staff-extract</string>
</array>
<key>version</key>
<integer>1</integer>
</dict>

system.device.dvd.setregion.initial

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Used by the DVD player to set the region code the first time. Note that changing the region code after it has been set requires a different right (system.device.dvd.setregion.change).</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.disk.unlock

<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Do not modify.</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>DiskUnlock:prompt</string>
<string>DiskUnlock:unlock,privileged</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.global-login-items.

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>default</string>
</array>
<key>version</key>
<integer>1</integer>
</dict>

system.hdd.smart

<dict>
<key>class</key>
<string>allow</string>
<key>comment</key>
<string>For modifying SMART settings.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>version</key>
<integer>0</integer>
</dict>

system.identity.write.

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>For creating, changing or deleting local user accounts and groups.</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-admin</string>
<string>authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

system.identity.write.credential

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Checked when changing authentication credentials (password or certificate) for a local user account.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>default</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

system.identity.write.self

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<false/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked when changing authentication credentials (password or certificate) for the current user’s account.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.install.app-store-software

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Checked when user is installing software from the App Store.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled-appstore-or-entitled-authenticate-appstore</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

system.install.app-store-software.standard-user

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked when user is installing new software.</string>
<key>created</key>
<real>538029218.67258</real>
<key>entitled</key>
<true/>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>10</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.install.apple-config-data

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

system.install.apple-software

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Checked when user is installing Apple-provided software.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>root-or-entitled-admin-or-authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

system.install.apple-software.standard-user

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked when user is installing new software.</string>
<key>created</key>
<real>538029218.67258</real>
<key>entitled</key>
<true/>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>10</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.install.software

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked when user is installing new software.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>300</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.install.software.iap

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<false/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>entitled</key>
<true/>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.install.software.mdm-provided

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled</string>
</array>
<key>version</key>
<integer>1</integer>
</dict>

system.keychain.create.loginkc

<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Used by the Security framework when you add an item to an unconfigured default keychain.</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>loginKC:queryCreate</string>
<string>loginKC:showPasswordUI</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<false/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>1</integer>
</dict>

system.keychain.modify

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Used by Keychain Access when editing a system keychain.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>30</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.login.console

<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Login mechanism based rule. Not for general use, yet.</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>builtin:policy-banner</string>
<string>TeamViewerAuthPlugin:start</string>
<string>loginwindow:login</string>
<string>builtin:login-begin</string>
<string>builtin:reset-password,privileged</string>
<string>loginwindow:FDESupport,privileged</string>
<string>builtin:forward-login,privileged</string>
<string>builtin:auto-login,privileged</string>
<string>builtin:authenticate,privileged</string>
<string>PKINITMechanism:auth,privileged</string>
<string>builtin:login-success</string>
<string>loginwindow:success</string>
<string>HomeDirMechanism:login,privileged</string>
<string>HomeDirMechanism:status</string>
<string>MCXMechanism:login</string>
<string>CryptoTokenKit:login</string>
<string>loginwindow:done</string>
</array>
<key>modified</key>
<real>559753619.04678202</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>7</integer>
</dict>

system.login.done

<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.login.fus

<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Login mechanism based rule. Not for general use, yet.</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>builtin:smartcard-sniffer,privileged</string>
<string>loginwindow:login</string>
<string>builtin:reset-password,privileged</string>
<string>builtin:auto-login,privileged</string>
<string>builtin:authenticate-nocred,privileged</string>
<string>loginwindow:success</string>
<string>loginwindow:done</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>1</integer>
</dict>

system.login.screensaver

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>The owner or any administrator can unlock the screensaver, set rule to “authenticate-session-owner-or-admin” to enable SecurityAgent.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>use-login-window-ui</string>
</array>
<key>version</key>
<integer>1</integer>
</dict>

system.login.tty

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>default</string>
</array>
<key>version</key>
<integer>1</integer>
</dict>

system.preferences

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked by the Admin framework when making changes to certain System Preferences.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.preferences.accessibility

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked when making changes to the Accessibility Preferences.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>0</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.preferences.accounts

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked by the Admin framework when making changes to the Users &amp; Groups preference pane.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.preferences.continuity

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Used by Password And Continuity PrefPane to request the user’s password.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>authenticate-staff-extract-context</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

system.preferences.datetime

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked by the Admin framework when making changes to the Date &amp; Time preference pane.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>1</integer>
</dict>

system.preferences.energysaver

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked by the Admin framework when making changes to the Energy Saver preference pane.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.preferences.location

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>For changing the network location from the Apple menu.</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>on-console</string>
<string>is-admin</string>
<string>is-root</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

system.preferences.network

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked by the Admin framework when making changes to the Network preference pane.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.preferences.nvram

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled</string>
<string>admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

system.preferences.parental-controls

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked when making changes to the Parental Controls preference pane.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.preferences.printing

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked by the Admin framework when making changes to the Printing preference pane.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.preferences.security

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked by the Admin framework when making changes to the Security preference pane.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.preferences.security.remotepair

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Used by Bezel Services to gate IR remote pairing.</string>
<key>created</key>
<real>538029218.67258</real>
<key>entitled-group</key>
<true/>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>30</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>1</integer>
</dict>

system.preferences.sharing

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked by the Admin framework when making changes to the Sharing preference pane.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.preferences.softwareupdate

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked by the Admin framework when making changes to the Software Update preference pane.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.preferences.startupdisk

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked by the Admin framework when making changes to the Startup Disk preference pane.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>1</integer>
</dict>

system.preferences.timemachine

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked by the Admin framework when making changes to the Time Machine preference pane.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.preferences.version-cue

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>For gating modifications to Adobe Version Cue preferences.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

system.print.admin

<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>root-or-lpadmin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

system.print.operator

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>_lpoperator</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.printingmanager

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>For printing to locked printers.</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-admin</string>
<string>authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

system.privilege.admin

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Used by AuthorizationExecuteWithPrivileges(…).
AuthorizationExecuteWithPrivileges() is used by programs requesting
to run a tool as root (e.g., some installers).</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>300</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.privilege.taskport

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Used by task_for_pid(…).
Task_for_pid is called by programs requesting full control over another program
for things like debugging or performance analysis. This authorization only applies
if the requesting and target programs are run by the same user; it will never
authorize access to the program of another user. WARNING: administrators are advised not to modify this right.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>_developer</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>36000</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.privilege.taskport.debug

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>For use by Apple. WARNING: administrators are advised
not to modify this right.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>_developer</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>36000</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.privilege.taskport.safe

<dict>
<key>class</key>
<string>allow</string>
<key>comment</key>
<string>For use by Apple.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>version</key>
<integer>0</integer>
</dict>

system.restart

<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Checked if the foreground console user tries to restart the system while other users are logged in via fast-user switching.</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>RestartAuthorization:restart</string>
<string>builtin:authenticate,privileged</string>
<string>RestartAuthorization:success</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.services.directory.configure

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>For making Directory Services changes.</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>544130060.84547496</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>entitled</string>
<string>authenticate-admin-nonshared</string>
</array>
<key>version</key>
<integer>3</integer>
</dict>

system.services.networkextension.filtering

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>For making changes to the Content Filtering configuration using NetworkExtension.</string>
<key>created</key>
<real>538029218.67258</real>
<key>entitled-group</key>
<true/>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
<key>vpn-entitled-group</key>
<true/>
</dict>

system.services.networkextension.vpn

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>For making changes to the VPN configuration using NetworkExtension.</string>
<key>created</key>
<real>538029218.67258</real>
<key>entitled-group</key>
<true/>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
<key>vpn-entitled-group</key>
<true/>
</dict>

system.services.systemconfiguration.network

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>For making change to network configuration via System Configuration.</string>
<key>created</key>
<real>538029218.67258</real>
<key>entitled-group</key>
<true/>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>1</integer>
<key>vpn-entitled-group</key>
<true/>
</dict>

system.sharepoints.

<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked when making changes to the Sharepoints.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.shutdown

<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Checked if the foreground console user tries to shut down the system while other users are logged in via fast-user switching.</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>RestartAuthorization:shutdown</string>
<string>builtin:authenticate,privileged</string>
<string>RestartAuthorization:success</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

system.volume.

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>is-admin</string>
<string>authenticate-admin-30</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

system.volume.external.

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>is-admin</string>
<string>on-console</string>
<string>authenticate-admin-30</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

system.volume.external.adopt

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>is-admin</string>
<string>authenticate-admin-30</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

system.volume.network.

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>system.volume.network.unmount</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>is-admin</string>
<string>on-console</string>
<string>authenticate-admin-30</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

system.volume.optical.

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>system.volume.optical.(adopt|encode|mount|rename|unmount)</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>is-admin</string>
<string>on-console</string>
<string>authenticate-admin-30</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

system.volume.optical.adopt

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>system.volume.optical.adopt</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>is-admin</string>
<string>authenticate-admin-30</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

system.volume.removable.

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>is-admin</string>
<string>on-console</string>
<string>authenticate-admin-30</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

system.volume.removable.adopt

<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>is-admin</string>
<string>authenticate-admin-30</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>

use-login-window-ui

<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Authenticate either as the owner or as an administrator.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>

The