Fine-tuning
Rights in the Authorization Policy DatabaseFine-tuning
Rights in the Authorization Policy DatabaseAs outlined in the chapter The First Launch of the Application, NFS Manager integrates into the security environment of OS X to fulfill the guidelines for high-end system applications. If necessary, experienced administrators can fine-tune the policy by which OS X decides to ask or not to ask for user credentials whenever NFS Manager has to be perform a privileged operation. For example, authorization can be passed to a fingerprint reader when certain rights are being requested.
NFS Manager itself cannot assist you in modifying the Authorization Policy Database because this is a chicken and egg problem: Accessing the database requires privileged rights managed by the database. The application could easily lose the rights to change the rights stored in the file which defines the rights.
Administrators who like to change the authorization policy should have read and understood the following documentation available from Apple:
All authorization rights used by NFS Manager are prefixed with the identifier com.bresink. The table below defines the names of all rights and their meanings. Note that the table might include rights not in active use by NFS Manager but by other applications of Marcel Bresink Software-Systeme. In initial configuration, all rights are configured to follow the authorization policy rule named default.
By default, the authorization rule named default is preconfigured by Apple and establishes the following policy:
| Right Identification | Meaning |
|---|---|
| com.bresink.compare.folders | Comparing the contents of file system folders. |
| com.bresink.count.file-objects | Counting objects in file systems. |
| com.bresink.create.file-object | Creating a new file system object owned by the system administrator. |
| com.bresink.create.link | Creating a file system link. |
| com.bresink.delete.file-objects | Deleting one or more file system objects. |
| com.bresink.delete.file-subtree | Deleting one or more file system objects recursively. |
| com.bresink.delete.folder-contents | Deleting the contents of one or more folders. |
| com.bresink.delete.hibernation-file | Deleting the power management hibernation file. |
| com.bresink.enable.mbs-evaluation | Enabling evaluation mode of Marcel Bresink software products. |
| com.bresink.execute.atsutil | Executing the atsutil command to maintain Apple Type Services. |
| com.bresink.execute.cupsctl | Executing the cupsctl command to interact with the printing subsystem. |
| com.bresink.execute.diskutil | Executing the diskutil command for disk maintenance. |
| com.bresink.execute.ditto | Executing the ditto command to copy file system objects. |
| com.bresink.execute.launchctl | Executing the launchctl command to interact with the launch service. |
| com.bresink.execute.lipo | Executing the lipo command to modify fat executables. |
| com.bresink.execute.mdutil | Executing the mdutil command for Spotlight-related maintenance. |
| com.bresink.execute.package_repair | Executing the repair command to reset file permissions. |
| com.bresink.execute.periodic | Executing the operating system's periodic jobs. |
| com.bresink.execute.umount | Executing commands to unmount file systems. |
| com.bresink.flush.lookup-cache | Clearing the cache of Directory Services. |
| com.bresink.get.storage-size | Computing the storage size of a subtree of file system objects. |
| com.bresink.inspect.file-object | Verifying if a file system object exists at a certain location. |
| com.bresink.manage.acl-support | Managing the support of Access Control Lists in file systems. |
| com.bresink.modify.acl-permissions | Modifying the ACL permission settings of a file system object. |
| com.bresink.modify.file-content | Modifying contents of a system-related file. |
| com.bresink.modify.ownership | Modifying the ownership of a file system object. |
| com.bresink.modify.posix-permissions | Modifying the POSIX permission settings of a file system object. |
| com.bresink.modify.power-management | Enabling or disabling features of the power management. |
| com.bresink.modify.protect-attribute | Changing the protection attributes of file systems objects. |
| com.bresink.mount.file-system | Mounting a file system. |
| com.bresink.prepuninst.mbs-security-tool | Preparing removal of the security component. |
| com.bresink.propagate.permissions | Propagating permission settings of a folder to objects it contains. |
| com.bresink.refresh.automounter | Letting the automounter update the mount configuration. |
| com.bresink.remove.system-protecton | Removing the system protection of file systems objects. |
| com.bresink.rename.file-object | Renaming a file system object. |
| com.bresink.restart.nfs-server | Restarting the NFS file server. |
| com.bresink.search.aged-files | Searching file system objects of a certain age. |
| com.bresink.search.filename-pattern | Searching file system objects having names of a certain pattern. |
| com.bresink.search.name-patterns | Searching file system objects matching multiple name patterns. |
| com.bresink.set.disk-spindown | Setting the system's spindown time for hard drives. |
| com.bresink.set.hfs-attributes | Setting HFS attributes of file system objects. |
| com.bresink.set.kernel-value | Modifying a live setting of the operating system kernel. |
| com.bresink.set.network-mtu | Modifying the maximum transfer unit of a network interface. |
| com.bresink.set.nvram | Modifying a computer setting stored in non-volatile memory. |
| com.bresink.set.system-config | Changing a system configuration value. |
| com.bresink.set.system-preference | Changing a system-wide preference setting. |
| com.bresink.shutdown.mbs-security-tool | Shutting down the security component of MBS software products. |
| com.bresink.stop.process | Stopping a running process. |
| com.bresink.stop.startsound-control | Shutting down management software for the startup sound. |
| com.bresink.touch.file-object | Updating the modification time of a file system object. |
| com.bresink.update.dyld-cache | Updating shared cache information for dynamic linking in programs. |
| com.bresink.whoami.diagnostic | Performing diagnostic functions with the security component. |