How to find relationship between logged-in users and processes?

I’m not 100% sure I understand your question but…

The standard practice for this sort of thing is to get the user ID from the audit token with audit_token_to_pid.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thank you for replay!

I am afraid PID is not what I need. I need to find logged user which associated with process.

I found the following description of audit user (non-official docs):

Audit User ID is assigned to a user upon login and is inherited by every process even when the user's identity changes (for example, by switching user accounts with su - john).

Is it true for macOS?

Thank you for your help!

Oh, yeah, sorry, I completely misread your ask. (Juggling way too many threads yesterday, after coming back from the Thanksgiving break)-:

audit_token_t has many accessors, including audit_token_to_euid and audit_token_to_ruid. That’s what you’re looking for, right?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I am looking for audit_token_to_auid() description. What is the audit user ID? Is this value which is assigned to a user upon login and is inherited by every process he starts in the session?

Thank you for your time and help!

What is the audit user ID?

It’s a uid_t value that, when a message is sent via Mach IPC [1] tracks the origin of the message. It’s not useful outside of that context.

Is this value which is assigned to a user upon login and is inherited by every process he starts in the session?

No.

The closest thing with those semantics is the audit session ID (audit_token_to_asid).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] And hence things layered on top of Mach messaging, most notably XPC.

thank you a lot!