/Volumes/Elcaptian/private/var/db > sudo sqlite3 auth.db
SQLite version 3.8.10.2 2015-05-20 18:17:19
Enter ".help" for usage hints.

 .schema
CREATE TABLE delegates_map (r_id INTEGER NOT NULL REFERENCES rules(id) 
                    ON DELETE CASCADE,d_id INTEGER NOT NULL REFERENCES rules(id) ON DELETE CASCADE,ord INTEGER NOT NULL);
CREATE INDEX d_map_d_id ON delegates_map(d_id);
CREATE INDEX d_map_r_id ON delegates_map(r_id);
CREATE INDEX d_map_r_id_ord ON delegates_map (r_id, ord);
CREATE TABLE mechanisms (id INTEGER PRIMARY KEY AUTOINCREMENT UNIQUE,plugin TEXT NOT NULL,param TEXT NOT NULL,
                    privileged INTEGER CHECK (privileged = 0 OR privileged = 1) NOT NULL DEFAULT (0));
CREATE UNIQUE INDEX mechanisms_lookup ON mechanisms (plugin,param,privileged);
CREATE TABLE mechanisms_map (r_id INTEGER NOT NULL REFERENCES rules(id) 
                ON DELETE CASCADE,m_id INTEGER NOT NULL REFERENCES mechanisms(id) ON DELETE CASCADE,ord INTEGER NOT NULL);
CREATE INDEX m_map_m_id ON mechanisms_map (m_id);
CREATE INDEX m_map_r_id ON mechanisms_map (r_id);
CREATE INDEX m_map_r_id_ord ON mechanisms_map (r_id, ord);
CREATE TABLE rules (id INTEGER PRIMARY KEY AUTOINCREMENT UNIQUE,
                    name TEXT NOT NULL UNIQUE,
                    type INTEGER CHECK (type = 1 OR type = 2) NOT NULL,
                   class INTEGER CHECK (class > 0),         'group' TEXT,
                    kofn INTEGER,                           timeout INTEGER,            flags INTEGER,     tries INTEGER,
                 version INTEGER NOT NULL DEFAULT (0),
                 created REAL NOT NULL DEFAULT (0),         modified REAL NOT NULL DEFAULT (0),
                    hash BLOB,                              identifier TEXT,            requirement BLOB,   comment TEXT);
CREATE INDEX a_type ON rules (type);
CREATE TABLE config ('key' TEXT PRIMARY KEY NOT NULL UNIQUE,value);
CREATE TABLE prompts (r_id INTEGER NOT NULL REFERENCES rules(id) ON DELETE CASCADE,  lang TEXT NOT NULL,  value TEXT NOT NULL);
CREATE INDEX p_r_id ON prompts(r_id);
CREATE TABLE buttons (r_id INTEGER NOT NULL REFERENCES rules(id) ON DELETE CASCADE,  lang TEXT NOT NULL,  value TEXT NOT NULL);
CREATE INDEX b_r_id ON buttons(r_id);

;
sqlite> .tables
buttons         delegates_map   mechanisms_map  rules         
config          mechanisms      prompts       

sqlite> select count(*) from buttons;
0
sqlite> select count(*) from delegates_map;
119
sqlite> select count(*) from mechanisms_map;
47
sqlite> select count(*) from rules;
163

sqlite> select count(*) from config;
2
sqlite> select count(*) from mechanisms;
36
sqlite> select count(*) from prompts;
1



sqlite> .width 50 4 4 5 90
sqlite> .mode col
sqlite> select name,type,class, kofn, comment from rules order by name;

                                                    1     2            Matches otherwise unmatched rights (i.e., is a default).                                  
admin                                               2     1                                                                                                      
allow                                               2     4            Allow anyone.                                                                             
app-specific-admin                                  2     1                                                                                                      
appserver-admin                                     2     1                                                                                                      
appserver-user                                      2     1                                                                                                      
authenticate                                        2     3                                                                                                      
authenticate-admin                                  2     1            Authenticate as an administrator.                                                         
authenticate-admin-30                               2     1            Like the default rule, but 
            credentials remain valid for only 30 seconds after
authenticate-admin-extract                          2     1            Authenticate as an administrator + allow password extraction.                             
authenticate-admin-or-staff-extract                 2     2     1                                                                                                
authenticate-appstore-30                            2     1                                                                                                      
authenticate-developer                              2     1            Authenticate as a developer.                                                              
authenticate-session-owner                          2     1            Authenticate as the session owner.                                                        
authenticate-session-owner-or-admin                 2     1            Authenticate either as the owner or as an administrator.                                  
authenticate-session-user                           2     1            Same as authenticate-session-owner.                                                       
authenticate-staff-extract                          2     1            Authenticate as group staff + allow password to be extracted.                             
com.apple.                                          1     2                                                                                                      
com.apple.AOSNotification.FindMyMac.modify          1     2     1                                                                                                
com.apple.AOSNotification.FindMyMac.remove          1     1                                                                                                      
com.apple.CoreRAID.admin                            1     2            Used by CoreRAID to allow access to administration functions of RAID devices              
com.apple.DiskManagement.                           1     2     1      Used by diskmanagementd to allow access to its privileged functions                       
com.apple.DiskManagement.internal.                  1     2     1      Used by diskmanagementd to allow access to its privileged functions                       
com.apple.DiskManagement.reserveKEK                 1     1            Used by diskmanagementd to allow use of the reserve KEK.                                  
com.apple.KerberosAgent                             1     3            Used to acquire Kerberos credentials.                                                     
com.apple.OpenScripting.additions.send              1     1            Used to send restricted scripting addition commands to processes that require authorizatio
com.apple.ReportPanic.fixRight                      1     1                                                                                                      
com.apple.Safari.allow-apple-events-to-run-javascr  1     1            This right is used by Safari to allow Apple Events to run JavaScript on web pages.        
com.apple.Safari.allow-javascript-in-smart-search-  1     1            This right is used by Safari to allow JavaScript to be used in the Smart Search Field.    
com.apple.Safari.allow-unsigned-app-extensions      1     1            This right is used by Safari to allow unsigned extensions in the Develop Menu.            
com.apple.Safari.install-ephemeral-extensions       1     1            This is the right used by Safari to install an ephemeral extension without a developer cer
com.apple.Safari.parental-controls                  1     2     1      Checked when changing parental controls for Safari.                                       
com.apple.Safari.show-credit-card-numbers           1     1            This right is used by Safari to show credit card numbers.                                 
com.apple.Safari.show-passwords                     1     1            This right is used by Safari to show passwords.                                           
com.apple.ServiceManagement.blesshelper             1     1            Used by the ServiceManagement framework to add a privileged helper tool to the system laun
com.apple.ServiceManagement.daemons.modify          1     2     1      Used by the ServiceManagement framework to make changes to the system launchd's set of dae
com.apple.SoftwareUpdate.modify-settings            1     2            Checked by the Admin framework when making changes to the Software Update preference pane.
com.apple.SoftwareUpdate.scan                       1     2            Checked when user is updating software.                                                   
com.apple.XType.fontmover.install                   1     1                                                                                                      
com.apple.XType.fontmover.remove                    1     1                                                                                                      
com.apple.XType.fontmover.restore                   1     2                                                                                                      
com.apple.activitymonitor.kill                      1     2            Used by Activity Monitor to authorize killing processes not owned by the user.            
com.apple.appserver.privilege.admin                 1     2            For administrative access to the Application Server management tool.                      
com.apple.appserver.privilege.user                  1     2     1      For user access to the Application Server management tool.                                
com.apple.builtin.confirm-access                    1     3                                                                                                      
com.apple.builtin.confirm-access-password           1     3                                                                                                      
com.apple.builtin.generic-new-passphrase            1     3                                                                                                      
com.apple.builtin.generic-unlock                    1     3                                                                                                      
com.apple.container-repair                          1     1                                                                                                      
com.apple.dashboard.advisory.allow                  1     1                                                                                                      
com.apple.desktopservices                           1     1            For privileged file operations from within the Finder.                                    
com.apple.desktopservices.scripted                  1     1            For scripting-initiated privileged file operations from within the Finder.                
com.apple.docset.install                            1     1            Used by Xcode to restrict access to a daemon it uses to install and update documentation s
com.apple.dt.Xcode.LicenseAgreementXPCServiceRight  1     1            Xcode FLE rights                                                                          
com.apple.familycontrols.loginwindow.override       1     3            This right is checked when overriding a parental control restriction                      
com.apple.familycontrols.override                   1     1            This right is checked when overriding parental controls from a user account               
com.apple.iBooksX.ParentalControl                   1     1            Checked when making changes to the Parental Controls for iBooks.                          
com.apple.icloud.passwordreset                      1     1            Authenticate as the session owner to reset iCloud password                                
com.apple.library-repair                            1     1                                                                                                      
com.apple.lldb.LaunchUsingXPC                       1     1                                                                                                      
com.apple.opendirectoryd.linkidentity               1     2                                                                                                      
com.apple.pf.rule                                   1     1                                                                                                      
com.apple.security.assessment.update                1     2                                                                                                      
com.apple.security.syntheticinput                   1     2                                                                                                      
com.apple.server.admin.streaming                    1     2     1      For making administrative requests to the QuickTime Streaming Server.                     
com.apple.trust-settings.admin                      1     1            For modifying Trust Settings in the Local Admin domain.                                   
com.apple.trust-settings.user                       1     2            For modifying per-user Trust Settings.                                                    
com.apple.uninstalld.uninstall                      1     2                                                                                                      
com.apple.wifi                                      1     2     1      For restricting WiFi control                                                              
com.apple.wireless-diagnostics                      1     1            Used by the WirelessDiagnosticsSupport framework to restrict XPC services provided by the 
config.add.                                         1     4            Wildcard right for adding rights.  Anyone is allowed to add any (non-wildcard) rights.    
config.config.                                      1     5            Wildcard right for any change to meta-rights for db modification.  Not allowed programmati
config.modify.                                      1     2     1      Wildcard right for modifying rights.  Admins are allowed to modify any (non-wildcard) righ
config.remove.                                      1     2     1      Wildcard right for deleting rights.  Admins are allowed to delete any (non-wildcard) right
config.remove.system.                               1     5            Wildcard right for deleting system rights.                                                
default                                             2     1            Default rule.	
            Credentials remain valid for 5 minutes after they've been obtai
entitled                                            2     3                                                                                                      
entitled-admin                                      2     2     2                                                                                                
entitled-admin-or-authenticate-admin                2     2     1                                                                                                
entitled-appstore                                   2     2     2                                                                                                
entitled-appstore-or-entitled-authenticate-appstor  2     2     1                                                                                                
entitled-authenticate-admin                         2     2     2                                                                                                
entitled-authenticate-appstore                      2     2     2                                                                                                
entitled-session-owner                              2     2     2                                                                                                
entitled-session-owner-or-authenticate-session-own  2     2     1                                                                                                
is-admin                                            2     1            Verify that the user asking for authorization is an administrator.                        
is-appstore                                         2     1                                                                                                      
is-developer                                        2     1            Verify that the user asking for authorization is a developer.                             
is-lpadmin                                          2     1                                                                                                      
is-root                                             2     1            Verify that the process that created this AuthorizationRef is running as root.            
is-session-owner                                    2     1            Verify that the requesting process is running as the session owner.                       
lpadmin                                             2     1                                                                                                      
on-console                                          2     3                                                                                                      
root-or-entitled-admin-or-admin                     2     2     1                                                                                                
root-or-entitled-admin-or-app-specific-admin        2     2     1                                                                                                
root-or-entitled-admin-or-authenticate-admin        2     2     1                                                                                                
root-or-lpadmin                                     2     2     1                                                                                                
sys.openfile.                                       1     1            See authopen(1) for information on the use of this right.                                 
system.                                             1     2                                                                                                      
system.burn                                         1     4            For burning media.                                                                        
system.csfde.requestpassword                        1     2            Used by CoreStorage Full Disk Encryption to request the user's password.                  
system.device.dvd.setregion.initial                 1     1            Used by the DVD player to set the region code the first time.  Note that changing the regi
system.disk.unlock                                  1     3            Do not modify.                                                                            
system.global-login-items.                          1     2     1                                                                                                
system.hdd.smart                                    1     4            For modifying SMART settings.                                                             
system.identity.write.                              1     2     1      For creating, changing or deleting local user accounts and groups.                        
system.identity.write.credential                    1     2            Checked when changing authentication credentials (password or certificate) for a local use
system.identity.write.self                          1     1            Checked when changing authentication credentials (password or certificate) for the current
system.install.app-store-software                   1     2            Checked when user is installing software from the App Store.                              
system.install.app-store-software.standard-user     1     1            Checked when user is installing new software.                                             
system.install.apple-config-data                    1     2                                                                                                      
system.install.apple-software                       1     2            Checked when user is installing Apple-provided software.                                  
system.install.apple-software.standard-user         1     1            Checked when user is installing new software.                                             
system.install.software                             1     1            Checked when user is installing new software.                                             
system.install.software.iap                         1     1                                                                                                      
system.install.software.mdm-provided                1     2                                                                                                      
system.keychain.create.loginkc                      1     3            Used by the Security framework when you add an item to an unconfigured default keychain.  
system.keychain.modify                              1     1            Used by Keychain Access when editing a system keychain.                                   
system.login.console                                1     3            Login mechanism based rule.  Not for general use, yet.                                    
system.login.done                                   1     3                                                                                                      
system.login.fus                                    1     3            Login mechanism based rule.  Not for general use, yet.                                    
system.login.screensaver                            1     2            The owner or any administrator can unlock the screensaver, set rule to "authenticate-sessi
system.login.tty                                    1     2                                                                                                      
system.preferences                                  1     1            Checked by the Admin framework when making changes to certain System Preferences.         
system.preferences.accessibility                    1     1            Checked when making changes to the Accessibility Preferences.                             
system.preferences.accounts                         1     1            Checked by the Admin framework when making changes to the Users & Groups preference pane. 
system.preferences.datetime                         1     1            Checked by the Admin framework when making changes to the Date & Time preference pane.    
system.preferences.energysaver                      1     1            Checked by the Admin framework when making changes to the Energy Saver preference pane.   
system.preferences.location                         1     2     1      For changing the network location from the Apple menu.                                    
system.preferences.network                          1     1            Checked by the Admin framework when making changes to the Network preference pane.        
system.preferences.nvram                            1     2     1                                                                                                
system.preferences.parental-controls                1     1            Checked when making changes to the Parental Controls preference pane.                     
system.preferences.printing                         1     1            Checked by the Admin framework when making changes to the Printing preference pane.       
system.preferences.security                         1     1            Checked by the Admin framework when making changes to the Security preference pane.       
system.preferences.security.remotepair              1     1            Used by Bezel Services to gate IR remote pairing.                                         
system.preferences.sharing                          1     1            Checked by the Admin framework when making changes to the Sharing preference pane.        
system.preferences.softwareupdate                   1     1            Checked by the Admin framework when making changes to the Software Update preference pane.
system.preferences.startupdisk                      1     1            Checked by the Admin framework when making changes to the Startup Disk preference pane.   
system.preferences.timemachine                      1     1            Checked by the Admin framework when making changes to the Time Machine preference pane.   
system.preferences.version-cue                      1     2            For gating modifications to Adobe Version Cue preferences.                                
system.print.admin                                  1     2                                                                                                      
system.print.operator                               1     1                                                                                                      
system.printingmanager                              1     2     1      For printing to locked printers.                                                          
system.privilege.admin                              1     1            Used by AuthorizationExecuteWithPrivileges(...).  
		AuthorizationExecuteWithPrivileges() 
system.privilege.taskport                           1     1            Used by task_for_pid(...).
		Task_for_pid is called by programs requesting full control ov
system.privilege.taskport.debug                     1     2     1      For use by Apple.  WARNING: administrators are advised
            not to modify this righ
system.privilege.taskport.safe                      1     4            For use by Apple.                                                                         
system.restart                                      1     3            Checked if the foreground console user tries to restart the system while other users are l
system.services.directory.configure                 1     1            For making Directory Services changes.                                                    
system.services.networkextension.filtering          1     1            For making changes to the Content Filtering configuration using NetworkExtension.         
system.services.networkextension.vpn                1     1            For making changes to the VPN configuration using NetworkExtension.                       
system.services.systemconfiguration.network         1     1            For making change to network configuration via System Configuration.                      
system.sharepoints.                                 1     1            Checked when making changes to the Sharepoints.                                           
system.shutdown                                     1     3            Checked if the foreground console user tries to shut down the system while other users are
system.volume.                                      1     2     1      system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)           
system.volume.external.                             1     2     1      system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)           
system.volume.external.adopt                        1     2     1      system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)           
system.volume.network.                              1     2     1      system.volume.network.unmount                                                             
system.volume.optical.                              1     2     1      system.volume.optical.(adopt|encode|mount|rename|unmount)                                 
system.volume.optical.adopt                         1     2     1      system.volume.optical.adopt                                                               
system.volume.removable.                            1     2     1      system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)           
system.volume.removable.adopt                       1     2     1      system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount)           
use-login-window-ui                                 2     1            Authenticate either as the owner or as an administrator.