Chapter 3. Authorization manager

Table of Contents



The Authorization manager is the application that system administrators can use to easily change the default behavior of any actions. This page does not aim to explain how to create new actions or define new .policy files.

The Authorization screen is divided in two parts, at the left we have all the actions that PolicyKit knows, you are able to search the actions using the search bar at the top, and at the right we have the selected action. This screenshot shows the main Authorization screen:

Main window with source device

When you select an action it's details will be shown at the right side, the action might have an icon, a description and the vendor name. Next in the view we have the Implicit Authorizations and Explicit Authorizations.

The Implicit Authorizations are authorizations automatically given to users based on certain criteria such as if they are on the local console. These authorizations are read from the .policy files that the given application defined, they are the defaults settings of the action. These are the valid values

  • no

  • auth_self_one_shot

  • auth_self

  • auth_self_keep_session

  • auth_self_keep_always

  • auth_admin_one_shot

  • auth_admin

  • auth_admin_keep_session

  • auth_admin_keep_always

  • yes

You can change these defaults values simply by changing it on the combo box, the not bold value is the default one so if you want to change one value back you can select it, to make you selection take effect you have to click on the Modify button. The Revert to defaults can be used to change all Implicit Authorizations to it's defaults values. Note that both Modify and Revert to defaults requires you to issue the PolicyKit org.freedesktop.policykit.modify-defaults action which might ask a password.

The Explicit Authorizations are authorizations that are either obtained through authentication process or specifically given to the action in question. The default behavior is to only show the current user explicit authorizations; if you want to see others users explicit authorizations click on the Show authorizations from all users, note that this requires you to issue the PolicyKit action which might ask a password. Blocked authorizations are marked with a STOP sign.

The Revoke button is used to revoke an explicit authorization. Note that this requires you to issue the PolicyKit org.freedesktop.policykit.revoke action which might ask a password.

If you want to specifically grant or block a given user of performing a given action you can click on the Grant or Block. The following screenshot you see the Grant/Block dialog:

Grant/Block explicit authorizations dialog

To grant/block explicit authorizations you have to select the user that will receive the authorization. You can also select the Constraints to limit the authorization such that it only applies under certain circumstances.


Be aware that explicit blocking and authorization might self lock you of performing the given action so be sure of what you are doing

Note that this requires you to issue the PolicyKit org.freedesktop.policykit.grant action which might ask a password.