The authorizationdb in macOS defines rules around who can do which tasks in macOS. These are per domain and the structure is similar to how preferences domains work. You can easily read domains using the security command followed by the authorizationdb key and the read verb, followed by the domain. In the following example, we’ll read the admin domain:
security authorizationdb read admin
You can then use this same command structure for all domains. The keys for each rights domain are as follows:
admin
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
allow
<dict>
<key>class</key>
<string>allow</string>
<key>comment</key>
<string>Allow anyone.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>version</key>
<integer>0</integer>
</dict>
app-specific-admin
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
appserver-admin
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>appserveradm</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
appserver-user
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>appserverusr</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
authenticate
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>builtin:authenticate</string>
<string>builtin:reset-password,privileged</string>
<string>builtin:authenticate,privileged</string>
<string>PKINITMechanism:auth,privileged</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
authenticate-admin
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Authenticate as an administrator.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>0</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
authenticate-admin-30
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Like the default rule, but
credentials remain valid for only 30 seconds after they’ve
been obtained. An acquired credential is shared by all clients.
</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>30</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
authenticate-admin-extract
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Authenticate as an administrator + allow password extraction.</string>
<key>created</key>
<real>538029218.67258</real>
<key>extract-password</key>
<true/>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>password-only</key>
<true/>
<key>require-apple-signed</key>
<true/>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>0</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>1</integer>
</dict>
authenticate-admin-nonshared
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Authenticate as an administrator.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>30</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>1</integer>
</dict>
authenticate-admin-or-staff-extract
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>authenticate-admin-extract</string>
<string>authenticate-staff-extract</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
authenticate-appstore-30
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>_appstore</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>30</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
authenticate-developer
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Authenticate as a developer.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>_developer</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>36000</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
authenticate-session-owner
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Authenticate as the session owner.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
authenticate-session-owner-or-admin
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Authenticate either as the owner or as an administrator.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
authenticate-session-user
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Same as authenticate-session-owner.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
authenticate-staff-extract
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Authenticate as group staff + allow password to be extracted.</string>
<key>created</key>
<real>538029218.67258</real>
<key>extract-password</key>
<true/>
<key>group</key>
<string>staff</string>
<key>modified</key>
<real>538029218.67258</real>
<key>password-only</key>
<true/>
<key>require-apple-signed</key>
<true/>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>0</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>1</integer>
</dict>
authenticate-staff-extract-context
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>2</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>authenticate-staff-extract</string>
<string>localauthentication-context</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
authenticate-webdeveloper
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Authenticate as a web developer.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>_webdeveloper</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>36000</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>default</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.AOSNotification.FindMyMac.modify
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>is-admin</string>
<string>default</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.AOSNotification.FindMyMac.remove
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.CoreRAID.admin
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Used by CoreRAID to allow access to administration functions of RAID devices</string>
<key>created</key>
<real>538029219.97001803</real>
<key>identifier</key>
<string>com.apple.CoreRAIDServer</string>
<key>modified</key>
<real>538029219.97001803</real>
<key>requirement</key>
<string>identifier “com.apple.CoreRAIDServer” and anchor apple</string>
<key>rule</key>
<array>
<string>root-or-entitled-admin-or-authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.DiskManagement.
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Used by diskmanagementd to allow access to its privileged functions</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>is-admin</string>
<string>on-console</string>
<string>default</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.DiskManagement.internal.
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Used by diskmanagementd to allow access to its privileged functions</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>is-admin</string>
<string>default</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.DiskManagement.reserveKEK
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Used by diskmanagementd to allow use of the reserve KEK.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.KerberosAgent
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Used to acquire Kerberos credentials.</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>KerberosAgent:kerberos-dialog</string>
<string>KerberosAgent:kerberos-authenticate,privileged</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.OpenScripting.additions.send
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Used to send restricted scripting addition commands to processes that require authorization to handle the events.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.ReportPanic.fixRight
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>require-apple-signed</key>
<true/>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>10</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.Safari.allow-apple-events-to-run-javascript
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>This right is used by Safari to allow Apple Events to run JavaScript on web pages.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.Safari.allow-javascript-in-smart-search-field
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>This right is used by Safari to allow JavaScript to be used in the Smart Search Field.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.Safari.allow-unsigned-app-extensions
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>This right is used by Safari to allow unsigned extensions in the Develop Menu.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.Safari.install-ephemeral-extensions
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>This is the right used by Safari to install an ephemeral extension without a developer certificate present.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>0</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.Safari.parental-controls
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Checked when changing parental controls for Safari.</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-admin</string>
<string>authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.Safari.show-credit-card-numbers
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>This right is used by Safari to show credit card numbers.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>10</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.Safari.show-passwords
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>This right is used by Safari to show passwords.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>10</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.ServiceManagement.blesshelper
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Used by the ServiceManagement framework to add a privileged helper tool to the system launchd.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>30</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>1</integer>
</dict>
</plist>
com.apple.ServiceManagement.daemons.modify
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Used by the ServiceManagement framework to make changes to the system launchd’s set of daemons.</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>entitled-admin-or-authenticate-admin-nonshared</string>
</array>
<key>version</key>
<integer>1</integer>
</dict>
com.apple.SoftwareUpdate.modify-settings
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Checked by the Admin framework when making changes to the Software Update preference pane.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>root-or-entitled-admin-or-app-specific-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.SoftwareUpdate.scan
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Checked when user is updating software.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>root-or-entitled-admin-or-authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.XType.fontmover.install
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>300</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.XType.fontmover.remove
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>300</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.XType.fontmover.restore
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>root-or-entitled-admin-or-authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.activitymonitor.kill
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Used by Activity Monitor to authorize killing processes not owned by the user.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled-admin-or-authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.appserver.privilege.admin
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>For administrative access to the Application Server management tool.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>appserver-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.appserver.privilege.user
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>For user access to the Application Server management tool.</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>appserver-admin</string>
<string>appserver-user</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.builtin.confirm-access
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>builtin:confirm-access</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>1</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.builtin.confirm-access-password
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>builtin:confirm-access-password</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.builtin.generic-new-passphrase
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>builtin:generic-new-passphrase</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.builtin.generic-unlock
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>builtin:generic-unlock</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.builtin.sc-kc-new-passphrase
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>builtin:generic-new-passphrase</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.configurationprofiles.userprofile.trustcert
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Install user configuration profile with certificate requiring trust change.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>authenticate-session-owner-or-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.container-repair
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>30</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.ctk.pair
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>kcunlock</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.ctkbind.admin
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.dashboard.advisory.allow
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>300</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.desktopservices
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>For privileged file operations from within the Finder.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>0</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.desktopservices.scripted
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>For scripting-initiated privileged file operations from within the Finder.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>0</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.docset.install
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Used by Xcode to restrict access to a daemon it uses to install and update documentation sets.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.dt.Xcode.LicenseAgreementXPCServiceRights
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Xcode FLE rights</string>
<key>created</key>
<real>538936495.48300803</real>
<key>default-prompt</key>
<dict>
<key>en</key>
<string>In order to accept the license or install components, Xcode needs to acquire admin privileges.</string>
</dict>
<key>group</key>
<string>admin</string>
<key>identifier</key>
<string>com.apple.dt.Xcode</string>
<key>modified</key>
<real>538936495.48300803</real>
<key>requirement</key>
<string>(anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or anchor apple) and identifier “com.apple.dt.Xcode”</string>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.familycontrols.loginwindow.override
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>This right is checked when overriding a parental control restriction</string>
<key>created</key>
<real>538029866.46782303</real>
<key>identifier</key>
<string>com.apple.parentalcontrolsd</string>
<key>mechanisms</key>
<array>
<string>FamilyControls:invoke</string>
<string>FamilyControls:authenticate</string>
<string>FamilyControls:success</string>
</array>
<key>modified</key>
<real>538029866.46782303</real>
<key>requirement</key>
<string>identifier “com.apple.parentalcontrolsd” and anchor apple</string>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.familycontrols.override
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>This right is checked when overriding parental controls from a user account</string>
<key>created</key>
<real>538029866.37611794</real>
<key>group</key>
<string>admin</string>
<key>identifier</key>
<string>com.apple.parentalcontrolsd</string>
<key>modified</key>
<real>538029866.37611794</real>
<key>requirement</key>
<string>identifier “com.apple.parentalcontrolsd” and anchor apple</string>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>5</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.iBooksX.ParentalControl
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked when making changes to the Parental Controls for iBooks.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.icloud.passwordreset
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Authenticate as the session owner to reset iCloud password</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>password-only</key>
<true/>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>0</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>1</integer>
</dict>
com.apple.library-repair
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.lldb.LaunchUsingXPC
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.opendirectoryd.linkidentity
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled-session-owner-or-authenticate-session-owner</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.pf.rule
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>0</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.safaridriver.allow
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>This right is used by safaridriver to allow running it.</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-admin</string>
<string>is-webdeveloper</string>
<string>authenticate-webdeveloper</string>
</array>
<key>version</key>
<integer>1</integer>
</dict>
com.apple.security.assessment.update
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>root-or-entitled-admin-or-authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.security.sudo
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>2</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled</string>
<string>authenticate-session-owner</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.security.syntheticinput
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>authenticate-session-owner</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.server.admin.streaming
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>For making administrative requests to the QuickTime Streaming Server.</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-admin</string>
<string>authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.trust-settings.admin
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>For modifying Trust Settings in the Local Admin domain.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.trust-settings.user
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>For modifying Trust Settings in the Local Admin domain.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.uninstalld.uninstall
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled-admin-or-authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
com.apple.wifi
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>For restricting WiFi control</string>
<key>created</key>
<real>538029219.51006806</real>
<key>identifier</key>
<string>com.apple.airport.airportd</string>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>560372456.43442702</real>
<key>requirement</key>
<string>identifier “com.apple.airport.airportd” and anchor apple</string>
<key>rule</key>
<array>
<string>entitled</string>
<string>is-admin</string>
<string>is-root</string>
<string>default</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
config.add.
<dict>
<key>class</key>
<string>allow</string>
<key>comment</key>
<string>Wildcard right for adding rights. Anyone is allowed to add any (non-wildcard) rights.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>version</key>
<integer>0</integer>
</dict>
config.config.
<dict>
<key>class</key>
<string>deny</string>
<key>comment</key>
<string>Wildcard right for any change to meta-rights for db modification. Not allowed programmatically (just edit this file).</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>version</key>
<integer>0</integer>
</dict>
config.modify.
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Wildcard right for modifying rights. Admins are allowed to modify any (non-wildcard) rights. Root does not require authentication.</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
config.remove.
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Wildcard right for deleting rights. Admins are allowed to delete any (non-wildcard) rights. Root does not require authentication.</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
config.remove.system.
<dict>
<key>class</key>
<string>deny</string>
<key>comment</key>
<string>Wildcard right for deleting system rights.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>version</key>
<integer>0</integer>
</dict>
default
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Default rule.
Credentials remain valid for 5 minutes after they’ve been obtained.
An acquired credential is shared by all clients.
</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>300</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
entitled
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>builtin:entitled,privileged</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>1</integer>
<key>version</key>
<integer>0</integer>
</dict>
entitled-admin
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>2</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-admin</string>
<string>entitled</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
entitled-admin-nonshared
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>2</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-admin-nonshared</string>
<string>entitled</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
entitled-admin-or-authenticate-admin
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled-admin</string>
<string>authenticate-admin-30</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
entitled-admin-or-authenticate-admin-nonshared
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled-admin-nonshared</string>
<string>authenticate-admin-nonshared</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
entitled-appstore
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>2</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-appstore</string>
<string>entitled</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
entitled-appstore-or-entitled-authenticate-appstore
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled-appstore</string>
<string>entitled-authenticate-appstore</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
entitled-authenticate-admin
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>2</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled</string>
<string>authenticate-admin-30</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
entitled-authenticate-appstore
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>2</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled</string>
<string>authenticate-appstore-30</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
entitled-session-owner
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>2</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-session-owner</string>
<string>entitled</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
entitled-session-owner-or-authenticate-session-owner
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled-session-owner</string>
<string>authenticate-session-owner</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
is-admin
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<false/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Verify that the user asking for authorization is an administrator.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
is-admin-nonshared
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<false/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Verify that the user asking for authorization is an administrator – nonshared right.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
is-appstore
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<false/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>_appstore</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
is-developer
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<false/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Verify that the user asking for authorization is a developer.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>_developer</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
is-lpadmin
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<false/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>_lpadmin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
is-root
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<false/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Verify that the process that created this AuthorizationRef is running as root.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
is-session-owner
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<false/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Verify that the requesting process is running as the session owner.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
is-webdeveloper
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<false/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Verify that the user asking for authorization is a web developer.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>_webdeveloper</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
kcunlock
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>created</key>
<real>538029218.67258</real>
<key>extract-password</key>
<true/>
<key>mechanisms</key>
<array>
<string>builtin:unlock-keychain</string>
<string>builtin:kc-verify,privileged</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>1</integer>
</dict>
localauthentication-context
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Used by LocalAuthentication to pass externalized context.</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>LocalAuthentication:context</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
lpadmin
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>_lpadmin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
on-console
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>builtin:on-console</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>1</integer>
<key>version</key>
<integer>0</integer>
</dict>
root-or-entitled-admin-or-admin
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>entitled-admin</string>
<string>admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
root-or-entitled-admin-or-app-specific-admin
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>entitled-admin</string>
<string>app-specific-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
root-or-entitled-admin-or-authenticate-admin
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>entitled-admin-or-authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
root-or-lpadmin
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>is-lpadmin</string>
<string>lpadmin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
sys.openfile.
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>See authopen(1) for information on the use of this right.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>300</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>default</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
system.burn
<dict>
<key>class</key>
<string>allow</string>
<key>comment</key>
<string>For burning media.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>version</key>
<integer>0</integer>
</dict>
system.csfde.requestpassword
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Used by CoreStorage Full Disk Encryption to request the user’s password.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>authenticate-admin-or-staff-extract</string>
</array>
<key>version</key>
<integer>1</integer>
</dict>
system.device.dvd.setregion.initial
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Used by the DVD player to set the region code the first time. Note that changing the region code after it has been set requires a different right (system.device.dvd.setregion.change).</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.disk.unlock
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Do not modify.</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>DiskUnlock:prompt</string>
<string>DiskUnlock:unlock,privileged</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.global-login-items.
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>default</string>
</array>
<key>version</key>
<integer>1</integer>
</dict>
system.hdd.smart
<dict>
<key>class</key>
<string>allow</string>
<key>comment</key>
<string>For modifying SMART settings.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>version</key>
<integer>0</integer>
</dict>
system.identity.write.
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>For creating, changing or deleting local user accounts and groups.</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-admin</string>
<string>authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
system.identity.write.credential
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Checked when changing authentication credentials (password or certificate) for a local user account.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>default</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
system.identity.write.self
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<false/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked when changing authentication credentials (password or certificate) for the current user’s account.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.install.app-store-software
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Checked when user is installing software from the App Store.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled-appstore-or-entitled-authenticate-appstore</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
system.install.app-store-software.standard-user
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked when user is installing new software.</string>
<key>created</key>
<real>538029218.67258</real>
<key>entitled</key>
<true/>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>10</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.install.apple-config-data
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
system.install.apple-software
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Checked when user is installing Apple-provided software.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>root-or-entitled-admin-or-authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
system.install.apple-software.standard-user
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked when user is installing new software.</string>
<key>created</key>
<real>538029218.67258</real>
<key>entitled</key>
<true/>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>10</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.install.software
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked when user is installing new software.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>300</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.install.software.iap
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<false/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>entitled</key>
<true/>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.install.software.mdm-provided
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled</string>
</array>
<key>version</key>
<integer>1</integer>
</dict>
system.keychain.create.loginkc
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Used by the Security framework when you add an item to an unconfigured default keychain.</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>loginKC:queryCreate</string>
<string>loginKC:showPasswordUI</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<false/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>1</integer>
</dict>
system.keychain.modify
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Used by Keychain Access when editing a system keychain.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>30</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.login.console
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Login mechanism based rule. Not for general use, yet.</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>builtin:policy-banner</string>
<string>TeamViewerAuthPlugin:start</string>
<string>loginwindow:login</string>
<string>builtin:login-begin</string>
<string>builtin:reset-password,privileged</string>
<string>loginwindow:FDESupport,privileged</string>
<string>builtin:forward-login,privileged</string>
<string>builtin:auto-login,privileged</string>
<string>builtin:authenticate,privileged</string>
<string>PKINITMechanism:auth,privileged</string>
<string>builtin:login-success</string>
<string>loginwindow:success</string>
<string>HomeDirMechanism:login,privileged</string>
<string>HomeDirMechanism:status</string>
<string>MCXMechanism:login</string>
<string>CryptoTokenKit:login</string>
<string>loginwindow:done</string>
</array>
<key>modified</key>
<real>559753619.04678202</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>7</integer>
</dict>
system.login.done
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.login.fus
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Login mechanism based rule. Not for general use, yet.</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>builtin:smartcard-sniffer,privileged</string>
<string>loginwindow:login</string>
<string>builtin:reset-password,privileged</string>
<string>builtin:auto-login,privileged</string>
<string>builtin:authenticate-nocred,privileged</string>
<string>loginwindow:success</string>
<string>loginwindow:done</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>1</integer>
</dict>
system.login.screensaver
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>The owner or any administrator can unlock the screensaver, set rule to “authenticate-session-owner-or-admin” to enable SecurityAgent.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>use-login-window-ui</string>
</array>
<key>version</key>
<integer>1</integer>
</dict>
system.login.tty
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>default</string>
</array>
<key>version</key>
<integer>1</integer>
</dict>
system.preferences
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked by the Admin framework when making changes to certain System Preferences.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.preferences.accessibility
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked when making changes to the Accessibility Preferences.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>0</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.preferences.accounts
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked by the Admin framework when making changes to the Users & Groups preference pane.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.preferences.continuity
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Used by Password And Continuity PrefPane to request the user’s password.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>authenticate-staff-extract-context</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
system.preferences.datetime
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked by the Admin framework when making changes to the Date & Time preference pane.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>1</integer>
</dict>
system.preferences.energysaver
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked by the Admin framework when making changes to the Energy Saver preference pane.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.preferences.location
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>For changing the network location from the Apple menu.</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>on-console</string>
<string>is-admin</string>
<string>is-root</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
system.preferences.network
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked by the Admin framework when making changes to the Network preference pane.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.preferences.nvram
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>entitled</string>
<string>admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
system.preferences.parental-controls
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked when making changes to the Parental Controls preference pane.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.preferences.printing
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked by the Admin framework when making changes to the Printing preference pane.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.preferences.security
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked by the Admin framework when making changes to the Security preference pane.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.preferences.security.remotepair
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Used by Bezel Services to gate IR remote pairing.</string>
<key>created</key>
<real>538029218.67258</real>
<key>entitled-group</key>
<true/>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>30</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>1</integer>
</dict>
system.preferences.sharing
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked by the Admin framework when making changes to the Sharing preference pane.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.preferences.softwareupdate
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked by the Admin framework when making changes to the Software Update preference pane.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.preferences.startupdisk
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked by the Admin framework when making changes to the Startup Disk preference pane.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>1</integer>
</dict>
system.preferences.timemachine
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked by the Admin framework when making changes to the Time Machine preference pane.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.preferences.version-cue
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>For gating modifications to Adobe Version Cue preferences.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
system.print.admin
<dict>
<key>class</key>
<string>rule</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>root-or-lpadmin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
system.print.operator
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>_lpoperator</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.printingmanager
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>For printing to locked printers.</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-admin</string>
<string>authenticate-admin</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
system.privilege.admin
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Used by AuthorizationExecuteWithPrivileges(…).
AuthorizationExecuteWithPrivileges() is used by programs requesting
to run a tool as root (e.g., some installers).</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>300</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.privilege.taskport
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Used by task_for_pid(…).
Task_for_pid is called by programs requesting full control over another program
for things like debugging or performance analysis. This authorization only applies
if the requesting and target programs are run by the same user; it will never
authorize access to the program of another user. WARNING: administrators are advised not to modify this right.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>_developer</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>36000</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.privilege.taskport.debug
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>For use by Apple. WARNING: administrators are advised
not to modify this right.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>_developer</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>36000</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.privilege.taskport.safe
<dict>
<key>class</key>
<string>allow</string>
<key>comment</key>
<string>For use by Apple.</string>
<key>created</key>
<real>538029218.67258</real>
<key>modified</key>
<real>538029218.67258</real>
<key>version</key>
<integer>0</integer>
</dict>
system.restart
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Checked if the foreground console user tries to restart the system while other users are logged in via fast-user switching.</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>RestartAuthorization:restart</string>
<string>builtin:authenticate,privileged</string>
<string>RestartAuthorization:success</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.services.directory.configure
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>For making Directory Services changes.</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>544130060.84547496</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>entitled</string>
<string>authenticate-admin-nonshared</string>
</array>
<key>version</key>
<integer>3</integer>
</dict>
system.services.networkextension.filtering
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>For making changes to the Content Filtering configuration using NetworkExtension.</string>
<key>created</key>
<real>538029218.67258</real>
<key>entitled-group</key>
<true/>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
<key>vpn-entitled-group</key>
<true/>
</dict>
system.services.networkextension.vpn
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>For making changes to the VPN configuration using NetworkExtension.</string>
<key>created</key>
<real>538029218.67258</real>
<key>entitled-group</key>
<true/>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
<key>vpn-entitled-group</key>
<true/>
</dict>
system.services.systemconfiguration.network
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>For making change to network configuration via System Configuration.</string>
<key>created</key>
<real>538029218.67258</real>
<key>entitled-group</key>
<true/>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>1</integer>
<key>vpn-entitled-group</key>
<true/>
</dict>
system.sharepoints.
<dict>
<key>allow-root</key>
<true/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Checked when making changes to the Sharepoints.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<false/>
<key>shared</key>
<true/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.shutdown
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Checked if the foreground console user tries to shut down the system while other users are logged in via fast-user switching.</string>
<key>created</key>
<real>538029218.67258</real>
<key>mechanisms</key>
<array>
<string>RestartAuthorization:shutdown</string>
<string>builtin:authenticate,privileged</string>
<string>RestartAuthorization:success</string>
</array>
<key>modified</key>
<real>538029218.67258</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
system.volume.
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>is-admin</string>
<string>authenticate-admin-30</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
system.volume.external.
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>is-admin</string>
<string>on-console</string>
<string>authenticate-admin-30</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
system.volume.external.adopt
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>is-admin</string>
<string>authenticate-admin-30</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
system.volume.network.
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>system.volume.network.unmount</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>is-admin</string>
<string>on-console</string>
<string>authenticate-admin-30</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
system.volume.optical.
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>system.volume.optical.(adopt|encode|mount|rename|unmount)</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>is-admin</string>
<string>on-console</string>
<string>authenticate-admin-30</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
system.volume.optical.adopt
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>system.volume.optical.adopt</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>is-admin</string>
<string>authenticate-admin-30</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
system.volume.removable.
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>is-admin</string>
<string>on-console</string>
<string>authenticate-admin-30</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
system.volume.removable.adopt
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)</string>
<key>created</key>
<real>538029218.67258</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>538029218.67258</real>
<key>rule</key>
<array>
<string>is-root</string>
<string>is-admin</string>
<string>authenticate-admin-30</string>
</array>
<key>version</key>
<integer>0</integer>
</dict>
use-login-window-ui
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Authenticate either as the owner or as an administrator.</string>
<key>created</key>
<real>538029218.67258</real>
<key>group</key>
<string>admin</string>
<key>modified</key>
<real>538029218.67258</real>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
The