I assume it is just a matter of configuring a proper rule in the authorization db by exporting/importing plist. Allowing all users to access keychain works for my CI use case.