How to find out why OS X is requesting privilege elevation for an app?

Solution 1:

It is not possible to know at the time the credentials are requested. The security mechanisms in OS X do not require pre-authorization of specific actions.

Applications and other processes are asking for one or more authorization rights. Each right grants the application specific capabilities:

Authorisation Rights

Authorisation rights are a core part of Mac OS X's security. Rights determine who can and can not access specific functionality. Administrators of Macs often need to change the defaults that ship with Mac OS X.

Use Console.app to view the /var/log/authd.log. This log file contains every successful and unsuccessful attempt to gain these rights.

If granted, the application is then free to perform actions with this new raised level of authorisation. Occasionally the actions are also logged in the authd.log file.

User Interface

The process responsible for showing the security user interface is part of OS X and not part of the requesting application. The application is likely in /System/Library/CoreServices.

The requesting application does not and can not access the credentials interface.

Limits of Time, Use, or Both

OS X's rights are often limited by time or use. As an example, the authenticate-admin-30 right is limited to 30 minutes. Other actions are limited to a single use; such as launching an assisting process just once.

As OS X has been developed, Apple have tended towards restricting initial rights. With OS X 10.11, even root the once super user has been limited by default. All with the aim of better layering security.