Does "Full Disk Access” include access to "Files and Folders" Privacy settings?

In MacOS 10.15 new settings have been introduced in Security & Privacy that allow the user to determine access to files and folders for specific applications. For example access to the 'Desktop' or 'Downloads' folder can now be controlled but also 'Network Volumes' and 'Removable Volumes'.

Is granting 'Full Disk Access' to a process / application sufficient and includes the newer more specific permissions in Catalina for "Files and Folders"?

enter image description here


The System Preferences screen is a bit vague (it says "Allows specified apps access to data like Mail, Messages, Safari, Home, Time Machine backups, and certain administrative settings for all users on this Mac.")

However the Apple developer documentation is more explicit - it says Full Disk Access (SystemPolicyAllFiles) covers all protected file locations including the new ones you mention. From PrivacyPreferencesPolicyControl.Services :

SystemPolicyAllFiles Allows the application access to all protected files, including system administration files.

More fine-grained file locations are listed in the link, including those you asked about. Specifically :

SystemPolicyDesktopFolder Allows the application to access files in the user's Documents folder.

SystemPolicyDocumentsFolder Allows the application to access files in the user's Downloads folder.

SystemPolicyNetworkVolumes Allows the application to access files on network volumes.

SystemPolicyRemovableVolumes Allows the application to access files on removable volumes.

Note that PrivacyPreferencesPolicyControl says "In the case of conflicting specifications, the most restrictive setting (deny) is used" but it doesn't seem to be possible to grant Full Disk Access and revoke another permission in Files and Folders through System Preferences.


Quoting the expert on the matter, Quinn “The Eskimo!” from Apple Developer Relations / Developer Technical Support:

https://forums.developer.apple.com/thread/124895

There are two further levels of protection in play here:

  • On 10.15 and later, certain common locations, like the Desktop, require Files and Folders access (see System Preferences > Security & Privacy > Privacy > Files and Folders).

  • On 10.14 and later, certain obscure locations, like the mail database, require Full Disk Access (see System Preferences > Security & Privacy > Privacy > Full Disk Access).

The latter subsumes the former.

These privileges can only be granted by the user.

So 'Full Disk Access' does give access to the 'Files and Folders' locations as well.