Authorization Rights available on macOS

Authorisation rights are a core part of macOS’s security. Rights determine who can and can not access specific functionality. Administrators of Macs occasionally need to change the defaults that ship with macOS.

This reference of default authorisation rights provides an overview of the rights available in recent versions of macOS.

You can use the built-in tool security to modify authorisation rights.

Default Rights in macOS

Authorisation rights available in macOS
Right10.610.710.810.910.1010.1110.1210.1310.14Comment
(empty)YesYesYesYesYesYesYesYesYesMatches otherwise unmatched rights (i.e., is a default).
adminNoYesYesYesYesYesYesYesYes
allowYesYesYesYesYesYesYesYesYesAllow anyone.
app-specific-adminNoNoYesYesYesYesYesYesYes
appserver-adminYesYesYesYesYesYesYesYesYes
appserver-userYesYesYesYesYesYesYesYesYes
authenticateYesYesYesYesYesYesYesYesYes
authenticate-adminYesYesYesYesYesYesYesYesYesAuthenticate as an administrator.
authenticate-admin-30YesYesYesYesYesYesYesYesYesLike the default rule, but credentials remain valid for only 30 seconds after they've been obtained. An acquired credential is shared by all clients.
authenticate-admin-extractNoNoNoNoYesYesYesYesYesAuthenticate as an administrator + allow password extraction.
authenticate-admin-nonsharedNoNoNoNoNoNoNoYesYesAuthenticate as an administrator.
authenticate-admin-or-staff-extractNoNoNoNoYesYesYesYesYes
authenticate-appstore-30NoYesYesYesYesYesYesYesYes
authenticate-developerYesYesYesYesYesYesYesYesYesAuthenticate as a developer.
authenticate-session-ownerYesYesYesYesYesYesYesYesYesAuthenticate as the session owner.
authenticate-session-owner-or-adminYesYesYesYesYesYesYesYesYesAuthenticate either as the owner or as an administrator.
authenticate-session-userYesYesYesYesYesYesYesYesYesSame as authenticate-session-owner.
authenticate-staff-extractNoNoNoNoYesYesYesYesYesAuthenticate as group staff + allow password to be extracted.
authenticate-staff-extract-contextNoNoNoNoNoNoYesYesYes
authenticate-webdeveloperNoNoNoNoNoNoNoYesYesAuthenticate as a web developer.
com.alfNoNoNoYesYesYesYesNoYes
com.apple.YesYesYesYesYesYesYesYesYes
com.apple.AOSNotification.FindMyMac.modifyNoNoYesYesYesYesYesYesYes
com.apple.AOSNotification.FindMyMac.removeNoNoNoYesYesYesYesYesYes
com.apple.CoreRAID.adminYesYesYesYesYesYesYesYesYesUsed by CoreRAID to allow access to administration functions of RAID devices
com.apple.DiskManagement.YesYesYesYesYesYesYesYesYesUsed by diskmanagementd to allow access to its privileged functions
com.apple.DiskManagement.internal.NoNoYesYesYesYesYesYesYesUsed by diskmanagementd to allow access to its privileged functions
com.apple.DiskManagement.reserveKEKNoYesYesYesYesYesYesYesYesUsed by diskmanagementd to allow use of the reserve KEK.
com.apple.KerberosAgentNoYesYesYesYesYesYesYesYesUsed to acquire Kerberos credentials.
com.apple.OpenScripting.additions.sendNoYesYesYesYesYesYesYesYesUsed to send restricted scripting addition commands to processes that require authorization to handle the events.
com.apple.ReportPanic.fixRightNoNoNoYesYesYesYesYesYes
com.apple.Safari.allow-apple-events-to-run-javascriptNoNoNoNoNoNoYesYesYesThis right is used by Safari to allow Apple Events to run JavaScript on web pages.
com.apple.Safari.allow-javascript-in-smart-search-fieldNoNoNoNoNoNoYesYesYesThis right is used by Safari to allow JavaScript to be used in the Smart Search Field.
com.apple.Safari.allow-unsigned-app-extensionsNoNoNoNoNoNoYesYesYesThis right is used by Safari to allow unsigned extensions in the Develop Menu.
com.apple.Safari.install-ephemeral-extensionsNoNoNoNoNoYesYesYesYesThis is the right used by Safari to install an ephemeral extension without a developer certificate present.
com.apple.Safari.parental-controlsYesYesYesYesYesYesYesYesYesChecked when changing parental controls for Safari.
com.apple.Safari.show-credit-card-numbersNoNoNoYesYesYesYesYesYesThis right is used by Safari to show credit card numbers.
com.apple.Safari.show-passwordsNoYesYesYesYesYesYesYesYesThis right is used by Safari to show passwords
com.apple.ServiceManagement.blesshelperYesYesYesYesYesYesYesYesYesUsed by the ServiceManagement framework to add a privileged helper tool to the system launchd.
com.apple.ServiceManagement.daemons.modifyYesYesYesYesYesYesYesYesYesUsed by the ServiceManagement framework to make changes to the system launchd's set of daemons.
com.apple.SoftwareUpdate.modify-settingsNoNoYesYesYesYesYesYesYesChecked by the Admin framework when making changes to the Software Update preference pane.
com.apple.SoftwareUpdate.scanNoYesYesYesYesYesYesYesYesChecked when user is updating software.
com.apple.XType.fontmover.installNoYesYesYesYesYesYesYesYes
com.apple.XType.fontmover.removeNoYesYesYesYesYesYesYesYes
com.apple.XType.fontmover.restoreNoYesYesYesYesYesYesYesYes
com.apple.ZFSManager.YesYesYesYesYesYesYesNoYesUsed by zfsmanager to allow access to destructive zfs functions
com.apple.activitymonitor.killYesYesYesYesYesYesYesYesYesUsed by Activity Monitor to authorize killing processes not owned by the user.
NoNoNoNoNoNoNoNoYesAuthorize an app-sandboxed application to install a symlink into /usr/local/bin.
com.apple.app-sandbox.replace-fileNoNoNoNoNoNoNoNoYesAuthorize an app-sandboxed application to save (overwrite) a file in a privileged location.
com.apple.app-sandbox.set-attributesNoNoNoNoNoNoNoNoYesAuthorize an app-sandboxed application to change permissions on a privileged file.
com.apple.appserver.privilege.adminYesYesYesYesYesYesYesYesYesFor administrative access to the Application Server management tool.
com.apple.appserver.privilege.userYesYesYesYesYesYesYesYesYesFor user access to the Application Server management tool.
com.apple.builtin.confirm-accessYesYesYesYesYesYesYesYesYes
com.apple.builtin.confirm-access-passwordYesYesYesYesYesYesYesYesYes
com.apple.builtin.generic-new-passphraseYesYesYesYesYesYesYesYesYes
com.apple.builtin.generic-unlockYesYesYesYesYesYesYesYesYes
com.apple.builtin.sc-kc-new-passphraseNoNoNoNoNoNoNoYesYes
com.apple.configurationprofiles.userprofile.trustcertNoNoNoNoNoNoNoYesYesInstall user configuration profile with certificate requiring trust change.
com.apple.container-repairNoNoYesYesYesYesYesYesYes
com.apple.ctk.pairNoNoNoNoNoNoYesYesYes
com.apple.ctkbind.adminNoNoNoNoNoNoYesYesYes
com.apple.dashboard.advisory.allowYesYesYesYesYesYesYesYesYes
com.apple.desktopservicesYesYesYesYesYesYesYesYesYesFor privileged file operations from within the Finder.
com.apple.desktopservices.scriptedNoYesYesYesYesYesYesYesYesFor scripting-initiated privileged file operations from within the Finder.
com.apple.docset.installYesYesYesYesYesYesYesYesYesUsed by Xcode to restrict access to a daemon it uses to install and update documentation sets.
com.apple.dt.Xcode.LicenseAgreementXPCServiceRightsNoNoNoYesYesYesYesNoYesXcode FLE rights
com.apple.dt.Xcode.MoveToTrashRightsNoYesNoNoNoNoNoNoNo
com.apple.dt.Xcode.RootDebuggingXPCServiceNoNoNoNoNoNoYesNoYescom.apple.dt.Xcode.RootDebuggingXPCService
com.apple.dt.instruments.process.analysisNoNoNoNoYesYesYesNoYesRights for Instruments
com.apple.dt.instruments.process.killNoNoNoNoYesYesYesNoYesRights for Instruments
com.apple.familycontrols.loginwindow.overrideYesNoNoYesYesYesYesYesYesThis right is checked when overriding a parental control restriction
com.apple.familycontrols.overrideYesNoNoYesYesYesYesYesYesThis right is checked when overriding parental controls from a user account
com.apple.iBooksX.ParentalControlNoNoNoYesYesYesYesYesYesChecked when making changes to the Parental Controls for iBooks.
com.apple.iCloud.passwordResetNoNoNoNoNoYesYesNoYesAuthenticate as the session owner to reset iCloud password
com.apple.icloud.passwordresetNoNoNoNoNoNoYesYesYesAuthenticate as the session owner to reset iCloud password
com.apple.library-repairNoYesYesYesYesYesYesYesYes
com.apple.lldb.LaunchUsingXPCNoNoYesYesYesYesYesYesYes
com.apple.lldb.RootDebuggingXPCServiceNoNoNoNoNoNoNoNoYescom.apple.lldb.RootDebuggingXPCService
com.apple.opendirectoryd.linkidentityNoNoYesYesYesYesYesYesYes
com.apple.pcastagentconfigd.YesYesNoNoNoNoNoNoNo
com.apple.pf.ruleNoNoNoYesYesYesYesYesYes
com.apple.safaridriver.allowNoNoNoNoNoNoNoYesYesThis right is used by safaridriver to allow running it.
com.apple.security.assessment.updateNoYesYesYesYesYesYesYesYes
com.apple.security.sudoNoNoNoNoNoNoNoYesYes
com.apple.security.syntheticinputNoNoNoNoNoNoYesYesYes
com.apple.server.admin.streamingYesYesYesYesYesYesYesYesYesFor making administrative requests to the QuickTime Streaming Server.
com.apple.trust-settings.adminYesYesYesYesYesYesYesYesYesFor modifying Trust Settings in the Local Admin domain.
com.apple.trust-settings.userYesYesYesYesYesYesYesYesYesFor modifying per-user Trust Settings.
com.apple.uninstalld.uninstallNoYesYesYesYesYesYesYesYes
com.apple.wifiNoNoNoYesYesYesYesYesYesFor restricting WiFi control
com.apple.wifivelocityNoNoNoNoNoNoNoNoYesUsed by the WiFiVelocity framework to restrict XPC services
com.apple.wireless-diagnosticsNoNoYesYesYesYesYesNoYesUsed by the WirelessDiagnosticsSupport framework to restrict XPC services provided by the wdhelper daemon
com.example.samplerightNoNoNoYesYesYesYesNoYes
config.add.YesYesYesYesYesYesYesYesYesWildcard right for adding rights. Anyone is allowed to add any (non-wildcard) rights.
config.config.YesYesYesYesYesYesYesYesYesWildcard right for any change to meta-rights for db modification. Not allowed programmatically (just edit this file).
config.modify.YesYesYesYesYesYesYesYesYesWildcard right for modifying rights. Admins are allowed to modify any (non-wildcard) rights. Root does not require authentication.
config.remove.YesYesYesYesYesYesYesYesYesWildcard right for deleting rights. Admins are allowed to delete any (non-wildcard) rights. Root does not require authentication.
config.remove.system.YesYesYesYesYesYesYesYesYesWildcard right for deleting system rights.
defaultYesYesYesYesYesYesYesYesYesDefault rule. Credentials remain valid for 5 minutes after they've been obtained. An acquired credential is shared by all clients.
entitledNoYesYesYesYesYesYesYesYes
entitled-adminNoYesYesYesYesYesYesYesYes
entitled-admin-nonsharedNoNoNoNoNoNoNoYesYes
entitled-admin-or-authenticate-adminNoYesYesYesYesYesYesYesYes
entitled-admin-or-authenticate-admin-nonsharedNoNoNoNoNoNoNoYesYes
entitled-appstoreNoYesYesYesYesYesYesYesYes
entitled-appstore-or-entitled-authenticate-appstoreNoYesYesYesYesYesYesYesYes
entitled-authenticate-adminNoYesYesYesYesYesYesYesYes
entitled-authenticate-appstoreNoYesYesYesYesYesYesYesYes
entitled-session-ownerNoYesYesYesYesYesYesYesYes
entitled-session-owner-or-authenticate-session-ownerNoYesYesYesYesYesYesYesYes
is-adminYesYesYesYesYesYesYesYesYesVerify that the user asking for authorization is an administrator.
is-admin-nonsharedNoNoNoNoNoNoNoYesYesVerify that the user asking for authorization is an administrator - nonshared right.
is-appstoreNoYesYesYesYesYesYesYesYes
is-developerYesYesYesYesYesYesYesYesYesVerify that the user asking for authorization is a developer.
is-lpadminNoYesYesYesYesYesYesYesYes
is-rootYesYesYesYesYesYesYesYesYesVerify that the process that created this AuthorizationRef is running as root.
is-session-ownerNoYesYesYesYesYesYesYesYesVerify that the requesting process is running as the session owner.
is-webdeveloperNoNoNoNoNoNoNoYesYesVerify that the user asking for authorization is a web developer.
kcunlockNoNoNoNoNoNoYesYesYes
localauthentication-contextNoNoNoNoNoNoYesYesYesUsed by LocalAuthentication to pass externalized context.
lpadminNoYesYesYesYesYesYesYesYes
on-consoleNoYesYesYesYesYesYesYesYes
root-or-admin-or-authenticate-adminNoYesNoNoNoNoNoNoNo
root-or-entitled-admin-or-adminNoYesYesYesYesYesYesYesYes
root-or-entitled-admin-or-app-specific-adminNoNoYesYesYesYesYesYesYes
root-or-entitled-admin-or-authenticate-adminNoYesYesYesYesYesYesYesYes
root-or-lpadminNoYesYesYesYesYesYesYesYes
sys.openfile.YesYesYesYesYesYesYesYesYesSee authopen(1) for information on the use of this right.
system.YesYesYesYesYesYesYesYesYes
system.burnYesYesYesYesYesYesYesYesYesFor burning media.
system.csfde.requestpasswordNoYesYesYesYesYesYesYesYesUsed by CoreStorage Full Disk Encryption to request the user's password.
system.device.dvd.setregion.initialYesYesYesYesYesYesYesYesYesUsed by the DVD player to set the region code the first time. Note that changing the region code after it has been set requires a different right (system.device.dvd.setregion.change).
system.disk.unlockNoYesYesYesYesYesYesYesYesDo not modify.
system.global-login-items.YesYesYesYesYesYesYesYesYes
system.hdd.smartNoYesYesYesYesYesYesYesYesFor modifying SMART settings.
system.identity.write.YesYesYesYesYesYesYesYesYesFor creating, changing or deleting local user accounts and groups.
system.identity.write.credentialYesYesYesYesYesYesYesYesYesChecked when changing authentication credentials (password or certificate) for a local user account.
system.identity.write.selfYesYesYesYesYesYesYesYesYesChecked when changing authentication credentials (password or certificate) for the current user's account.
system.install.admin.userYesNoNoNoNoNoNoNoNo
system.install.app-store-softwareNoYesYesYesYesYesYesYesYesChecked when user is installing software from the App Store.
system.install.app-store-software.standard-userNoNoNoYesYesYesYesYesYesChecked when user is installing new software.
system.install.apple-config-dataNoNoYesYesYesYesYesYesYes
system.install.apple-softwareNoYesYesYesYesYesYesYesYesChecked when user is installing Apple-provided software.
system.install.apple-software.standard-userNoNoNoYesYesYesYesYesYesChecked when user is installing new software.
system.install.iap-softwareNoNoNoYesYesYesYesNoYes
system.install.root.adminYesNoNoNoNoNoNoNoNo
system.install.root.userYesNoNoNoNoNoNoNoNo
system.install.softwareNoYesYesYesYesYesYesYesYesChecked when user is installing new software.
system.install.software.iapNoNoNoNoYesYesYesYesYes
system.install.software.mdm-providedNoNoNoNoYesYesYesYesYes
system.keychain.create.loginkcYesYesYesYesYesYesYesYesYesUsed by the Security framework when you add an item to an unconfigured default keychain.
system.keychain.modifyYesYesYesYesYesYesYesYesYesUsed by Keychain Access when editing a system keychain.
system.localauthentication.uiNoNoNoNoNoNoYesNoYesUsed by LocalAuthentication to display its UI.
system.login.consoleYesYesYesYesYesYesYesYesYesLogin mechanism based rule. Not for general use, yet.
system.login.doneYesYesYesYesYesYesYesYesYes
system.login.fusNoNoNoNoYesYesYesYesYesLogin mechanism based rule. Not for general use, yet.
system.login.screensaverYesYesYesYesYesYesYesYesYesThe owner or any administrator can unlock the screensaver, set rule to "authenticate-session-owner-or-admin" to enable SecurityAgent.
system.login.ttyYesYesYesYesYesYesYesYesYes
system.preferencesYesYesYesYesYesYesYesYesYesChecked by the Admin framework when making changes to certain System Preferences.
system.preferences.accessibilityYesYesYesYesYesYesYesYesYesChecked when making changes to the Accessibility Preferences.
system.preferences.accountsYesYesYesYesYesYesYesYesYesChecked by the Admin framework when making changes to the Users & Groups preference pane.
system.preferences.continuityNoNoNoNoNoNoYesYesYesUsed by Password And Continuity PrefPane to request the user's password.
system.preferences.datetimeNoYesYesYesYesYesYesYesYesChecked by the Admin framework when making changes to the Date & Time preference pane.
system.preferences.energysaverNoYesYesYesYesYesYesYesYesChecked by the Admin framework when making changes to the Energy Saver preference pane.
system.preferences.locationNoYesYesYesYesYesYesYesYesFor changing the network location from the Apple menu.
system.preferences.networkNoYesYesYesYesYesYesYesYesChecked by the Admin framework when making changes to the Network preference pane.
system.preferences.nvramNoNoYesYesYesYesYesYesYes
system.preferences.parental-controlsYesYesYesYesYesYesYesYesYesChecked when making changes to the Parental Controls preference pane.
system.preferences.printingNoYesYesYesYesYesYesYesYesChecked by the Admin framework when making changes to the Printing preference pane.
system.preferences.securityYesYesYesYesYesYesYesYesYesChecked by the Admin framework when making changes to the Security preference pane.
system.preferences.security.remotepairNoYesYesYesYesYesYesYesYesUsed by Bezel Services to gate IR remote pairing.
system.preferences.sharingNoYesYesYesYesYesYesYesYesChecked by the Admin framework when making changes to the Sharing preference pane.
system.preferences.softwareupdateNoYesYesYesYesYesYesYesYesChecked by the Admin framework when making changes to the Software Update preference pane.
system.preferences.startupdiskNoYesYesYesYesYesYesYesYesChecked by the Admin framework when making changes to the Startup Disk preference pane.
system.preferences.timemachineNoYesYesYesYesYesYesYesYesChecked by the Admin framework when making changes to the Time Machine preference pane.
system.preferences.version-cueNoYesYesYesYesYesYesYesYesFor gating modifications to Adobe Version Cue preferences.
system.print.adminYesYesYesYesYesYesYesYesYes
system.print.operatorYesYesYesYesYesYesYesYesYes
system.printingmanagerYesYesYesYesYesYesYesYesYesFor printing to locked printers.
system.privilege.adminYesYesYesYesYesYesYesYesYesUsed by AuthorizationExecuteWithPrivileges(...). AuthorizationExecuteWithPrivileges() is used by programs requesting to run a tool as root (e.g., some installers).
system.privilege.taskportYesYesYesYesYesYesYesYesYesUsed by task_for_pid(...). Task_for_pid is called by programs requesting full control over another program for things like debugging or performance analysis. This authorization only applies if the requesting and target programs are run by the same user; it will never authorize access to the program of another user. WARNING: administrators are advised not to modify this right.
system.privilege.taskport.debugYesYesYesYesYesYesYesYesYesFor use by Apple. WARNING: administrators are advised not to modify this right.
system.privilege.taskport.safeYesYesYesYesYesYesYesYesYesFor use by Apple.
system.restartYesYesYesYesYesYesYesYesYesChecked if the foreground console user tries to restart the system while other users are logged in via fast-user switching.
system.services.directory.configureYesYesYesYesYesYesYesYesYesFor making Directory Services changes.
system.services.networkextension.filteringNoNoNoNoYesYesYesYesYesFor making changes to the Content Filtering configuration using NetworkExtension.
system.services.networkextension.vpnNoNoNoNoYesYesYesYesYesFor making changes to the VPN configuration using NetworkExtension.
system.services.systemconfiguration.networkNoNoYesYesYesYesYesYesYesFor making change to network configuration via System Configuration.
system.sharepoints.YesYesYesYesYesYesYesYesYesChecked when making changes to the Sharepoints.
system.shutdownYesYesYesYesYesYesYesYesYesChecked if the foreground console user tries to shut down the system while other users are logged in via fast-user switching.
system.volume.NoNoYesYesYesYesYesYesYessystem.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)
system.volume.external.NoNoYesYesYesYesYesYesYessystem.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)
system.volume.external.adoptNoNoYesYesYesYesYesYesYessystem.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)
system.volume.network.NoNoNoNoYesYesYesYesYessystem.volume.network.unmount
system.volume.optical.NoNoNoNoYesYesYesYesYessystem.volume.optical.(adopt|encode|mount|rename|unmount)
system.volume.optical.adoptNoNoNoNoYesYesYesYesYessystem.volume.optical.adopt
system.volume.removable.NoNoYesYesYesYesYesYesYessystem.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)
system.volume.removable.adoptNoNoYesYesYesYesYesYesYessystem.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)
use-login-window-uiNoNoNoYesYesYesYesYesYesAuthenticate either as the owner or as an administrator.

Authorization versus Authorisation

Authorisation is the British spelling variant of the word. Authorization, with a ‘z’ as opposed to an ’s’, is the American variation.

Both are correct. Within macOS, you will see the American variant used because Apple is an American company. We tend to default to the British English varient because we are a British based company.