About privilege management and access list precedence

Segura®'s EPM (Endpoint Privilege Manager) macOS implements a sophisticated multi-layered privilege management system that operates through hierarchical access control lists with strict precedence rules. The system eliminates the need for permanent administrative privileges by providing just-in-time elevation based on dynamic policy evaluation.

At its core, the EPM macOS utilizes hierarchical access control lists (ACLs). These ACLs are structured to define and enforce permissions for applications, processes, and user actions across the macOS environment. Each layer within this hierarchy is designed to provide a specific level of control, from system-wide policies down to highly specific application-level permissions. This layered approach ensures comprehensive coverage and precise control over endpoint privileges.

Priority order in an access list

When a process appears in multiple access lists within EPM macOS, the system follows a strict hierarchical evaluation order to resolve conflicts and ensure consistent security decisions.

The following list displays the priority order in the evaluation of a process when it appears in more than one access list:

1. AllowList (User): Grants specific privileges to individual users based on their unique identity and role requirements.
2. AllowList (Device): Permits specific applications and operations based on device characteristics, location, or management status.
3. AllowList (General): Establishes baseline organizational permissions that apply broadly across users and devices.
4. Denylist (User): Blocks specific users from accessing particular resources due to security, compliance, or disciplinary reasons.
5. Denylist (Device): Restricts access from specific devices that may be compromised, non-compliant, or unauthorized.
6. DenyList (General): Implements organization-wide security policies by blocking dangerous or prohibited resources across all users and devices.
7. Graylist: Creates a conditional access zone where resources require additional verification, approval, or monitoring before being allowed.