Authorization Services

Access restricted areas of the operating system, and control access to particular features of your macOS app.


The Security.Authorization API is a programming interface to the Security Server and its policy database. This API facilitates access control to restricted areas of the operating system and allows you to restrict a user’s access to particular features in your macOS app. Use authorization services in:

  • Software that restricts access to its own tools

  • Applications that call system tools

  • Software installers that install privileged tools or require access to restricted areas of the operating system

As shown in Figure 1, the Security Server is a daemon running in the operating system that provides a trusted implementation of various security protocols, including authorization computation. In turn, the Security Server relies on the Security Agent to interface with users when authentication is needed. Thus an app can verify credentials (usernames and passwords) without ever accessing them directly. This authorization process also allows the means of authentication to change in the future (such as adding Touch ID) without your having to modify your app.

Figure 1

Authorization services provide an interface to the Security Server

Diagram showing your app sitting above the Security framework, which in turn sits above the Security Server and the Security Agent.


Authorization References


Creates a new authorization reference and provides an option to authorize or preauthorize rights.


Frees the memory associated with an authorization reference.


The flags used to specify authorization options.


A pointer to an opaque authorization reference structure.


A constant you use in functions with an environment parameter if you have no environment data to provide.

Authorization Items

Use authorization items (alone or in sets) to represent rights and environment information.


A structure containing information about an authorization right or the authorization environment.


A structure containing a set of authorization items.


An authorization item set designated to represent a set of rights.


An authorization item set designated to hold environment information relevant to authorization decisions.

Authorization Name Tags

Use name tags to define authorization security items.


Frees the memory associated with a set of authorization items.

Rights and Credentials


Retrieves supporting data such as the user name and other information gathered during evaluation of authorization.


Authorizes and preauthorizes rights synchronously.


Authorizes and preauthorizes rights asynchronously.


A block used as a callback for the asynchronous version of copying authorization rights.


A zero-terminated string in UTF-8 encoding.

Authorization Rights Flags

Recognize the values the Security Server sets in an authorization item’s flag field.

Import and Export


Creates an external representation of an authorization reference.


Internalizes the external representation of an authorization reference.


The external representation of an authorization reference.


The number of bytes in an external form structure's array.

The Policy Database


Retrieves a right definition as a dictionary.


Creates or updates a right entry in the policy database.


Removes a right from the policy database.

Policy Database Constants

Use these constants to set rights and rules in the policy database.

Executing with Root Privileges


Runs an executable tool with root privileges.


Retrieves the authorization reference passed by the AuthorizationExecuteWithPrivileges function.


Result Codes

Authorization Services Result Codes

Recognize result codes specific to the authorization services API.

See Also

Authorization and Authentication

Password AutoFill

Streamline your app’s login and onboarding procedures.

Shared Web Credentials

Share credentials between iOS apps and their website counterparts.

Authorization Plug-ins

Extend the authorization services API by creating plug-ins that can participate in authorization decisions.


Manage login, authorization, and security sessions in macOS.