Thank you for the clarification — that makes sense now. Given that authenticate-user cannot be short-circuited mid-evaluation by a custom plug-in, I’m now interested in understanding how security credentials can be used to fulfill such rights after completing evaluation (as you mentioned in relation to QA1277). Could you clarify: Under what circumstances can a security credential be created and used to satisfy a right like authenticate-user? Can I programmatically install a credential (e.g., for an admin user who authenticated earlier), so that future calls to AuthorizationCopyRights() succeed without prompting again? Would this approach work across multiple invocations of the same custom rule (e.g., custom.test)? If you have any example of how to set or retrieve a credential from within a plug-in or client context, that would be immensely helpful. Thanks again!

Thank you for your reply and insight. To clarify the setup: I’ve defined a custom right custom.test as follows: <string>rule</string> <key>rule</key> <array> <string>custom.test.plugin</string> <string>custom.test.authenticate</string> </array> Where: custom.test.plugin is defined as: <string>evaluate-mechanisms</string> <key>mechanisms</key> <array> <string>AuthorizationPlugin:elevate-privileges,privileged</string> </array> custom.test.authenticate is defined as: <key>authenticate-user</key> <true/> <key>allow-root</key> <true/> <key>class</key> <string>user</string> <key>group</key> <string>admin</string> My Authorization Plug-in is loaded correctly, and the mechanism elevate-privileges is invoked as expected. My question is: When the system evaluates the right custom.test, is it possible for my plug-in (inside the elevate-privileges mechanism) to programmatically satisfy the custom.test.authenticate rule — for example, by validating the credentials of another admin user? Or more directly: Can a plug-in participating in a rule chain short-circuit or fulfill an authenticate-user condition on behalf of the system? Appreciate your help and any guidance you can provide.