Authorization Services

Access restricted areas of the operating system, and control access to particular features of your macOS app.

Overview

The Security.Authorization API is a programming interface to the Security Server and its policy database. This API facilitates access control to restricted areas of the operating system and allows you to restrict a user’s access to particular features in your macOS app. Use authorization services in:

  • Software that restricts access to its own tools

  • Applications that call system tools

  • Software installers that install privileged tools or require access to restricted areas of the operating system

As shown in Figure 1, the Security Server is a daemon running in the operating system that provides a trusted implementation of various security protocols, including authorization computation. In turn, the Security Server relies on the Security Agent to interface with users when authentication is needed. Thus an app can verify credentials (usernames and passwords) without ever accessing them directly. This authorization process also allows the means of authentication to change in the future (such as adding Touch ID) without your having to modify your app.

Figure 1

Authorization services provide an interface to the Security Server

Diagram showing your app sitting above the Security framework, which in turn sits above the Security Server and the Security Agent.

Topics

Authorization References

AuthorizationCreate

Creates a new authorization reference and provides an option to authorize or preauthorize rights.

AuthorizationFree

Frees the memory associated with an authorization reference.

AuthorizationFlags

The flags used to specify authorization options.

AuthorizationRef

A pointer to an opaque authorization reference structure.

kAuthorizationEmptyEnvironment

A constant you use in functions with an environment parameter if you have no environment data to provide.

Authorization Items

Use authorization items (alone or in sets) to represent rights and environment information.

AuthorizationItem

A structure containing information about an authorization right or the authorization environment.

AuthorizationItemSet

A structure containing a set of authorization items.

AuthorizationRights

An authorization item set designated to represent a set of rights.

AuthorizationEnvironment

An authorization item set designated to hold environment information relevant to authorization decisions.

Authorization Name Tags

Use name tags to define authorization security items.

AuthorizationFreeItemSet

Frees the memory associated with a set of authorization items.

Rights and Credentials

AuthorizationCopyInfo

Retrieves supporting data such as the user name and other information gathered during evaluation of authorization.

AuthorizationCopyRights

Authorizes and preauthorizes rights synchronously.

AuthorizationCopyRightsAsync

Authorizes and preauthorizes rights asynchronously.

AuthorizationAsyncCallback

A block used as a callback for the asynchronous version of copying authorization rights.

AuthorizationString

A zero-terminated string in UTF-8 encoding.

Authorization Rights Flags

Recognize the values the Security Server sets in an authorization item’s flag field.

Import and Export

AuthorizationMakeExternalForm

Creates an external representation of an authorization reference.

AuthorizationCreateFromExternalForm

Internalizes the external representation of an authorization reference.

AuthorizationExternalForm

The external representation of an authorization reference.

kAuthorizationExternalFormLength

The number of bytes in an external form structure's array.

The Policy Database

AuthorizationRightGet

Retrieves a right definition as a dictionary.

AuthorizationRightSet

Creates or updates a right entry in the policy database.

AuthorizationRightRemove

Removes a right from the policy database.

Policy Database Constants

Use these constants to set rights and rules in the policy database.

Executing with Root Privileges

AuthorizationExecuteWithPrivileges

Runs an executable tool with root privileges.

Deprecated
AuthorizationCopyPrivilegedReference

Retrieves the authorization reference passed by the AuthorizationExecuteWithPrivileges function.

Deprecated

Result Codes

Authorization Services Result Codes

Recognize result codes specific to the authorization services API.

See Also

Authorization and Authentication

Password AutoFill

Streamline your app’s login and onboarding procedures.

Shared Web Credentials

Share credentials between iOS apps and their website counterparts.

Authorization Plug-ins

Extend the authorization services API by creating plug-ins that can participate in authorization decisions.

Sessions

Manage login, authorization, and security sessions in macOS.