Authorisation Rights

Authorisation rights are a core part of Mac OS X's security. Rights determine who can and can not access specific functionality. Administrators of Macs often need to change the defaults that ship with Mac OS X.

This reference of default authorisation rights provides an overview of the rights available in recent versions of Mac OS X.

You can use the built-in tool security or our authbuddy to modify authorisation rights.

Default Rights in Mac OS X

Authorisation rights available in Mac OS X
Right 10.6 10.7 10.8 10.9 10.10 Comment
(empty) Yes Yes Yes Yes Yes Matches otherwise unmatched rights (i.e., is a default).
admin No Yes Yes Yes Yes
allow Yes Yes Yes Yes Yes Allow anyone.
app-specific-admin No No Yes Yes Yes
appserver-admin Yes Yes Yes Yes Yes
appserver-user Yes Yes Yes Yes Yes
authenticate Yes Yes Yes Yes Yes
authenticate-admin Yes Yes Yes Yes Yes Authenticate as an administrator.
authenticate-admin-30 Yes Yes Yes Yes Yes Like the default rule, but credentials remain valid for only 30 seconds after they've been obtained. An acquired credential is shared by all clients.
authenticate-admin-extract No No No No Yes Authenticate as an administrator + allow password extraction.
authenticate-admin-or-staff-extract No No No No Yes
authenticate-appstore-30 No Yes Yes Yes Yes
authenticate-developer Yes Yes Yes Yes Yes Authenticate as a developer.
authenticate-session-owner Yes Yes Yes Yes Yes Authenticate as the session owner.
authenticate-session-owner-or-admin Yes Yes Yes Yes Yes Authenticate either as the owner or as an administrator.
authenticate-session-user Yes Yes Yes Yes Yes Same as authenticate-session-owner.
authenticate-staff-extract No No No No Yes Authenticate as group staff + allow password to be extracted.
com.alf No No No Yes Yes
com.apple. Yes Yes Yes Yes Yes
com.apple.AOSNotification.FindMyMac.modify No No Yes Yes Yes
com.apple.AOSNotification.FindMyMac.remove No No No Yes Yes
com.apple.CoreRAID.admin Yes Yes Yes Yes Yes Used by CoreRAID to allow access to administration functions of RAID devices
com.apple.DiskManagement. Yes Yes Yes Yes Yes Used by diskmanagementd to allow access to its privileged functions
com.apple.DiskManagement.internal. No No Yes Yes Yes Used by diskmanagementd to allow access to its privileged functions
com.apple.DiskManagement.reserveKEK No Yes Yes Yes Yes Used by diskmanagementd to allow use of the reserve KEK.
com.apple.KerberosAgent No Yes Yes Yes Yes Used to acquire Kerberos credentials.
com.apple.OpenScripting.additions.send No Yes Yes Yes Yes Used to send restricted scripting addition commands to processes that require authorization to handle the events.
com.apple.ReportPanic.fixRight No No No Yes Yes
com.apple.Safari.parental-controls Yes Yes Yes Yes Yes Checked when changing parental controls for Safari.
com.apple.Safari.show-credit-card-numbers No No No Yes Yes This right is used by Safari to show credit card numbers.
com.apple.Safari.show-passwords No Yes Yes Yes Yes This right is used by Safari to show passwords
com.apple.ServiceManagement.blesshelper Yes Yes Yes Yes Yes Used by the ServiceManagement framework to add a privileged helper tool to the system launchd.
com.apple.ServiceManagement.daemons.modify Yes Yes Yes Yes Yes Used by the ServiceManagement framework to make changes to the system launchd's set of daemons.
com.apple.SoftwareUpdate.modify-settings No No Yes Yes Yes Checked by the Admin framework when making changes to the Software Update preference pane.
com.apple.SoftwareUpdate.scan No Yes Yes Yes Yes Checked when user is updating software.
com.apple.XType.fontmover.install No Yes Yes Yes Yes
com.apple.XType.fontmover.remove No Yes Yes Yes Yes
com.apple.XType.fontmover.restore No Yes Yes Yes Yes
com.apple.ZFSManager. Yes Yes Yes Yes Yes Used by zfsmanager to allow access to destructive zfs functions
com.apple.activitymonitor.kill Yes Yes Yes Yes Yes Used by Activity Monitor to authorize killing processes not owned by the user.
com.apple.appserver.privilege.admin Yes Yes Yes Yes Yes For administrative access to the Application Server management tool.
com.apple.appserver.privilege.user Yes Yes Yes Yes Yes For user access to the Application Server management tool.
com.apple.builtin.confirm-access Yes Yes Yes Yes Yes
com.apple.builtin.confirm-access-password Yes Yes Yes Yes Yes
com.apple.builtin.generic-new-passphrase Yes Yes Yes Yes Yes
com.apple.builtin.generic-unlock Yes Yes Yes Yes Yes
com.apple.container-repair No No Yes Yes Yes
com.apple.dashboard.advisory.allow Yes Yes Yes Yes Yes
com.apple.desktopservices Yes Yes Yes Yes Yes For privileged file operations from within the Finder.
com.apple.desktopservices.scripted No Yes Yes Yes Yes For scripting-initiated privileged file operations from within the Finder.
com.apple.docset.install Yes Yes Yes Yes Yes Used by Xcode to restrict access to a daemon it uses to install and update documentation sets.
com.apple.dt.Xcode.LicenseAgreementXPCServiceRights No No No Yes Yes Xcode FLE rights
com.apple.dt.Xcode.MoveToTrashRights No Yes No No No
com.apple.dt.instruments.process.analysis No No No No Yes Rights for Instruments
com.apple.dt.instruments.process.kill No No No No Yes Rights for Instruments
com.apple.familycontrols.loginwindow.override Yes No No Yes Yes This right is checked when overriding a parental control restriction
com.apple.familycontrols.override Yes No No Yes Yes This right is checked when overriding parental controls from a user account
com.apple.iBooksX.ParentalControl No No No Yes Yes Checked when making changes to the Parental Controls for iBooks.
com.apple.library-repair No Yes Yes Yes Yes
com.apple.lldb.LaunchUsingXPC No No Yes Yes Yes
com.apple.opendirectoryd.linkidentity No No Yes Yes Yes
com.apple.pcastagentconfigd. Yes Yes No No No
com.apple.pf.rule No No No Yes Yes
com.apple.security.assessment.update No Yes Yes Yes Yes
com.apple.server.admin.streaming Yes Yes Yes Yes Yes For making administrative requests to the QuickTime Streaming Server.
com.apple.trust-settings.admin Yes Yes Yes Yes Yes For modifying Trust Settings in the Local Admin domain.
com.apple.trust-settings.user Yes Yes Yes Yes Yes For modifying per-user Trust Settings.
com.apple.uninstalld.uninstall No Yes Yes Yes Yes
com.apple.wifi No No No Yes Yes For restricting WiFi control
com.apple.wireless-diagnostics No No Yes Yes Yes Used by the WirelessDiagnosticsSupport framework to restrict XPC services provided by the wdhelper daemon
com.example.sampleright No No No Yes Yes
config.add. Yes Yes Yes Yes Yes Wildcard right for adding rights. Anyone is allowed to add any (non-wildcard) rights.
config.config. Yes Yes Yes Yes Yes Wildcard right for any change to meta-rights for db modification. Not allowed programmatically (just edit this file).
config.modify. Yes Yes Yes Yes Yes Wildcard right for modifying rights. Admins are allowed to modify any (non-wildcard) rights. Root does not require authentication.
config.remove. Yes Yes Yes Yes Yes Wildcard right for deleting rights. Admins are allowed to delete any (non-wildcard) rights. Root does not require authentication.
config.remove.system. Yes Yes Yes Yes Yes Wildcard right for deleting system rights.
default Yes Yes Yes Yes Yes Default rule. Credentials remain valid for 5 minutes after they've been obtained. An acquired credential is shared by all clients.
entitled No Yes Yes Yes Yes
entitled-admin No Yes Yes Yes Yes
entitled-admin-or-authenticate-admin No Yes Yes Yes Yes
entitled-appstore No Yes Yes Yes Yes
entitled-appstore-or-entitled-authenticate-appstore No Yes Yes Yes Yes
entitled-authenticate-admin No Yes Yes Yes Yes
entitled-authenticate-appstore No Yes Yes Yes Yes
entitled-session-owner No Yes Yes Yes Yes
entitled-session-owner-or-authenticate-session-owner No Yes Yes Yes Yes
is-admin Yes Yes Yes Yes Yes Verify that the user asking for authorization is an administrator.
is-appstore No Yes Yes Yes Yes
is-developer Yes Yes Yes Yes Yes Verify that the user asking for authorization is a developer.
is-lpadmin No Yes Yes Yes Yes
is-root Yes Yes Yes Yes Yes Verify that the process that created this AuthorizationRef is running as root.
is-session-owner No Yes Yes Yes Yes Verify that the requesting process is running as the session owner.
lpadmin No Yes Yes Yes Yes
on-console No Yes Yes Yes Yes
root-or-admin-or-authenticate-admin No Yes No No No
root-or-entitled-admin-or-admin No Yes Yes Yes Yes
root-or-entitled-admin-or-app-specific-admin No No Yes Yes Yes
root-or-entitled-admin-or-authenticate-admin No Yes Yes Yes Yes
root-or-lpadmin No Yes Yes Yes Yes
sys.openfile. Yes Yes Yes Yes Yes See authopen(1) for information on the use of this right.
system. Yes Yes Yes Yes Yes
system.burn Yes Yes Yes Yes Yes For burning media.
system.csfde.requestpassword No Yes Yes Yes Yes Used by CoreStorage Full Disk Encryption to request the user's password.
system.device.dvd.setregion.initial Yes Yes Yes Yes Yes Used by the DVD player to set the region code the first time. Note that changing the region code after it has been set requires a different right (system.device.dvd.setregion.change).
system.disk.unlock No Yes Yes Yes Yes Do not modify.
system.global-login-items. Yes Yes Yes Yes Yes
system.hdd.smart No Yes Yes Yes Yes For modifying SMART settings.
system.identity.write. Yes Yes Yes Yes Yes For creating, changing or deleting local user accounts and groups.
system.identity.write.credential Yes Yes Yes Yes Yes Checked when changing authentication credentials (password or certificate) for a local user account.
system.identity.write.self Yes Yes Yes Yes Yes Checked when changing authentication credentials (password or certificate) for the current user's account.
system.install.admin.user Yes No No No No
system.install.app-store-software No Yes Yes Yes Yes Checked when user is installing software from the App Store.
system.install.app-store-software.standard-user No No No Yes Yes Checked when user is installing new software.
system.install.apple-config-data No No Yes Yes Yes
system.install.apple-software No Yes Yes Yes Yes Checked when user is installing Apple-provided software.
system.install.apple-software.standard-user No No No Yes Yes Checked when user is installing new software.
system.install.iap-software No No No Yes Yes
system.install.root.admin Yes No No No No
system.install.root.user Yes No No No No
system.install.software No Yes Yes Yes Yes Checked when user is installing new software.
system.install.software.iap No No No No Yes
system.install.software.mdm-provided No No No No Yes
system.keychain.create.loginkc Yes Yes Yes Yes Yes Used by the Security framework when you add an item to an unconfigured default keychain.
system.keychain.modify Yes Yes Yes Yes Yes Used by Keychain Access when editing a system keychain.
system.login.console Yes Yes Yes Yes Yes Login mechanism based rule. Not for general use, yet.
system.login.done Yes Yes Yes Yes Yes
system.login.fus No No No No Yes Login mechanism based rule. Not for general use, yet.
system.login.screensaver Yes Yes Yes Yes Yes The owner or any administrator can unlock the screensaver, set rule to "authenticate-session-owner-or-admin" to enable SecurityAgent.
system.login.tty Yes Yes Yes Yes Yes
system.preferences Yes Yes Yes Yes Yes Checked by the Admin framework when making changes to certain System Preferences.
system.preferences.accessibility Yes Yes Yes Yes Yes Checked when making changes to the Accessibility Preferences.
system.preferences.accounts Yes Yes Yes Yes Yes Checked by the Admin framework when making changes to the Users & Groups preference pane.
system.preferences.datetime No Yes Yes Yes Yes Checked by the Admin framework when making changes to the Date & Time preference pane.
system.preferences.energysaver No Yes Yes Yes Yes Checked by the Admin framework when making changes to the Energy Saver preference pane.
system.preferences.location No Yes Yes Yes Yes For changing the network location from the Apple menu.
system.preferences.network No Yes Yes Yes Yes Checked by the Admin framework when making changes to the Network preference pane.
system.preferences.nvram No No Yes Yes Yes
system.preferences.parental-controls Yes Yes Yes Yes Yes Checked when making changes to the Parental Controls preference pane.
system.preferences.printing No Yes Yes Yes Yes Checked by the Admin framework when making changes to the Printing preference pane.
system.preferences.security Yes Yes Yes Yes Yes Checked by the Admin framework when making changes to the Security preference pane.
system.preferences.security.remotepair No Yes Yes Yes Yes Used by Bezel Services to gate IR remote pairing.
system.preferences.sharing No Yes Yes Yes Yes Checked by the Admin framework when making changes to the Sharing preference pane.
system.preferences.softwareupdate No Yes Yes Yes Yes Checked by the Admin framework when making changes to the Software Update preference pane.
system.preferences.startupdisk No Yes Yes Yes Yes Checked by the Admin framework when making changes to the Startup Disk preference pane.
system.preferences.timemachine No Yes Yes Yes Yes Checked by the Admin framework when making changes to the Time Machine preference pane.
system.preferences.version-cue No Yes Yes Yes Yes For gating modifications to Adobe Version Cue preferences.
system.print.admin Yes Yes Yes Yes Yes
system.print.operator Yes Yes Yes Yes Yes
system.printingmanager Yes Yes Yes Yes Yes For printing to locked printers.
system.privilege.admin Yes Yes Yes Yes Yes Used by AuthorizationExecuteWithPrivileges(...). AuthorizationExecuteWithPrivileges() is used by programs requesting to run a tool as root (e.g., some installers).
system.privilege.taskport Yes Yes Yes Yes Yes Used by task_for_pid(...). Task_for_pid is called by programs requesting full control over another program for things like debugging or performance analysis. This authorization only applies if the requesting and target programs are run by the same user; it will never authorize access to the program of another user. WARNING: administrators are advised not to modify this right.
system.privilege.taskport.debug Yes Yes Yes Yes Yes For use by Apple. WARNING: administrators are advised not to modify this right.
system.privilege.taskport.safe Yes Yes Yes Yes Yes For use by Apple.
system.restart Yes Yes Yes Yes Yes Checked if the foreground console user tries to restart the system while other users are logged in via fast-user switching.
system.services.directory.configure Yes Yes Yes Yes Yes For making Directory Services changes.
system.services.networkextension.filtering No No No No Yes For making changes to the Content Filtering configuration using NetworkExtension.
system.services.networkextension.vpn No No No No Yes For making changes to the VPN configuration using NetworkExtension.
system.services.systemconfiguration.network No No Yes Yes Yes For making change to network configuration via System Configuration.
system.sharepoints. Yes Yes Yes Yes Yes Checked when making changes to the Sharepoints.
system.shutdown Yes Yes Yes Yes Yes Checked if the foreground console user tries to shut down the system while other users are logged in via fast-user switching.
system.volume. No No Yes Yes Yes system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)
system.volume.external. No No Yes Yes Yes system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)
system.volume.external.adopt No No Yes Yes Yes system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)
system.volume.network. No No No No Yes system.volume.network.unmount
system.volume.optical. No No No No Yes system.volume.optical.(adopt|encode|mount|rename|unmount)
system.volume.optical.adopt No No No No Yes system.volume.optical.adopt
system.volume.removable. No No Yes Yes Yes system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)
system.volume.removable.adopt No No Yes Yes Yes system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)
use-login-window-ui No No No Yes Yes Authenticate either as the owner or as an administrator.

Authorization versus Authorisation

Authorisation is the British spelling variant of the word. Authorization, with a 'z' as opposed to an 's', is the American variation.

Both are correct. Within Mac OS X, you will see the American variant used because Apple is an American company. We tend to default to the British English varient because we are a British based company.