Access Control Lists

Control which apps have access to keychains and keychain items in macOS.

Overview

In macOS, for items not stored on the iCloud keychain, you share keychain items by manipulating an item’s access control lists (ACLs). Through this sharing mechanism, apps can grant other apps access to their own keychain items, including to apps from other developers. In addition, it provides a means for keychain services, after prompting for user permission, to arbitrarily expand the list of apps authorized for a particular action.

Topics

Access Objects

func SecAccessCopyACLList(SecAccess, UnsafeMutablePointer<CFArray?>)

Retrieves all the access control list entries of a given access object.

func SecAccessCopyMatchingACLList(SecAccess, CFTypeRef)

Retrieves selected access control lists from a given access object.

typealias SecAccessOwnerType

The flags used when creating an access control list entry.

SecAccessOwnerType Values

Specify type values for known access owners.

class SecAccess

An opaque type that identifies a keychain or keychain item’s access information.

func SecAccessGetTypeID()

Returns the unique identifier of the opaque type to which an access object belongs.

Access Control List Objects

func SecACLCreateWithSimpleContents(SecAccess, CFArray?, CFString, SecKeychainPromptSelector, UnsafeMutablePointer<SecACL?>)

Creates a new access control list entry from the application list, description, and prompt selector provided and adds it to an item’s access object.

func SecACLRemove(SecACL)

Removes the specified access control list entry.

func SecACLCopyContents(SecACL, UnsafeMutablePointer<CFArray?>, UnsafeMutablePointer<CFString?>, UnsafeMutablePointer<SecKeychainPromptSelector>)

Returns the application list, description, and prompt selector for a given access control list entry.

func SecACLSetContents(SecACL, CFArray?, CFString, SecKeychainPromptSelector)

Sets the application list, description, and prompt selector for a given access control list entry.

func SecACLCopyAuthorizations(SecACL)

Retrieves the authorization tags of a given access control list entry.

func SecACLUpdateAuthorizations(SecACL, CFArray)

Sets the authorization tags for a given access control list entry.

ACL Authorization Keys

Specify which operations an access control list entry applies to.

struct SecKeychainPromptSelector

Bits that define when a keychain should require a passphrase.

class SecACL

An opaque type that represents information about an access control list entry.

func SecACLGetTypeID()

Returns the unique identifier of the opaque type to which an access object belongs.

Trusted Applications

func SecTrustedApplicationCreateFromPath(UnsafePointer<Int8>?, UnsafeMutablePointer<SecTrustedApplication?>)

Creates a trusted application object based on the application specified by path.

func SecTrustedApplicationSetData(SecTrustedApplication, CFData)

Sets the data of a given trusted application object.

class SecTrustedApplication

An opaque type that contains information about a trusted application.

func SecTrustedApplicationGetTypeID()

Returns the unique identifier of the opaque type to which a trusted application object belongs.

Keychain Item Access Objects

See Also

API Components

Keychain Items

Embed confidential information in items that you store in a keychain.

Keychains

Create and manage entire keychains in macOS.