AuthorizationDB Right Actions

Privilege Manager provides the following default AuthorizationDB Right actions.

Action	AuthorizationDB Riight
Activity Monitor Kill Authorization Right	com.apple.activitymonitor.kill
Activity Monitor Sudo Authorization Right	com.apple.activitymonitor.sudo
Bless Helper Authorization Right	com.apple.ServiceManagement.blesshelper
Install Apple Software Authorization Right	system.install.apple-software
Modify LaunchDaemons Authorization Right	com.apple.ServiceManagement.daemons.modify
Modify System Keychain Authorization Right	system.keychain.modify
Privilege Manager Settings Authorization Right	com.dellinea.preferences.acsagent
Xcode FLE Authorization Right	com.apple.dt.Xcode.LicenseAgreementXPCServiceRights
Change Time Zone AuthorizationDB Right Action	system.preferences.dateandtime.changetimezone
Date & Time AuthorizationDB Right Action	system.preferences.datetime
Network AuthorizationDB Right Action	system.preferences.network
System Preferences AuthorizationDB Right Action	system.preferences
Wi-Fi AuthorizationDB Right Action	com.apple.wifi

Creating a Custom AuthorizationDB Right Action

1. Navigate to Admin | Actions.

2. Click Create Action.

3. From the Platform drop-down select macOS.

4. From the Type drop-down select AuthorizationDB Right Action.

   

5. Enter a name, that allows you to easily identify the action for future use.

6. Click Create.

   

7. Under Authorization DB Right Settings in the Right Name field enter the desired authorization database right name.

8. Click Save Changes.

The action can now be added to existing macOS elevation policies or selected at policy creation following the use of Modify Authorization Right on the final create policy wizard page by selecting it from the Right Name drop-down.

Refer to the following examples:

• Elevating Xcode
• Elevating Modifying the Keychain
• Elevating Charles Proxy
• Elevating Activity Monitor

AuthorizationDB Right Actions for System Settings Panes

System Settings Panes are now elevated using the necessary AuthorizationDB Right Actions instead of the Run as Root action.

The following table lists the rights needed to elevate System Settings Panes. The AuthorizationDB Right Action that Delinea provides is shown in parenthesis beside the action. If there is not a provided policy for a System Settings Pane, Delinea does not ensure that the listed AuthorizationDB Rights are comprehensive.

Refer to the file /System/Library/Security/authorization.plist that includes all rights and what they are used for. (The System Settings section is the dictionary where the first key is system.preferences.)

System Settings Pane	AuthorizationDB Rights
Date & Time	system.preferences.dateandtime.changetimezone (Change Time Zone AuthorizationDB Right Action) system.preferences.datetime (Date & Time AuthorizationDB Right Action)
Energy Saver/Battery	system.preferences (System Preferences AuthorizationDB Right Action)
Lock Screen	system.preferences (System Preferences AuthorizationDB Right Action)
Network (and VPN)	system.preferences.network (Network AuthorizationDB Right Action) system.preferences (System Preferences AuthorizationDB Right Action)
Privacy & Security	system.preferences.security com.apple.DiskManagement.reserveKEK system.services.directory.configure system.preferences (System Preferences AuthorizationDB Right Action)
Time Machine	system.preferences (System Preferences AuthorizationDB Right Action)
Wi-Fi	com.apple.wifi (Wi-Fi AuthorizationDB Right Action)