---
title: Access Control Lists
framework: security
role: collectionGroup
role_heading: API Collection
path: security/access-control-lists
---

# Access Control Lists

Control which apps have access to keychain items in macOS.

## Overview

Overview In macOS, for items not stored on the iCloud keychain, each protected keychain item—like a password or private key—has an associated access instance that contains an access control list (ACL). The entries in this list in turn each contain an array of operations and an array of apps trusted to carry out those operations with the item. The collection of ACL entries govern the accessibility of the corresponding keychain item.

When an app attempts to access a keychain item for a particular purpose—like using a private key to sign a document—the system looks for an entry in the item’s ACL containing the operation. If there’s no entry that lists the operation, then the system denies access and it’s up to the calling app to try something else or to notify the user. If there is an entry that lists the operation, the system checks whether the calling app is among the entry’s trusted apps. If so, the system grants access. Otherwise, the system prompts the user for confirmation. The user may choose to Deny, Allow, or Always Allow the access. In the latter case, the system adds the app to the list of trusted apps for that entry, enabling the app to gain access in the future without prompting the user again. important: ACLs are not available in iOS or in macOS apps that use the iCloud keychain. For keychain item sharing in those environments, use access groups instead. See Sharing access to keychain items among a collection of apps.

## Topics

### Access Creation

- [SecAccessCreate(_:_:_:)](security/secaccesscreate(_:_:_:).md)
- [SecAccessCreateWithOwnerAndACL(_:_:_:_:_:)](security/secaccesscreatewithownerandacl(_:_:_:_:_:).md)
- [SecAccessOwnerType](security/secaccessownertype.md)
- [SecAccessOwnerType Values](security/secaccessownertype-values.md)
- [SecAccess](security/secaccess.md)
- [SecAccessGetTypeID()](security/secaccessgettypeid().md)

### Access Query

- [SecAccessCopyACLList(_:_:)](security/secaccesscopyacllist(_:_:).md)
- [SecAccessCopyMatchingACLList(_:_:)](security/secaccesscopymatchingacllist(_:_:).md)
- [SecAccessCopyOwnerAndACL(_:_:_:_:_:)](security/secaccesscopyownerandacl(_:_:_:_:_:).md)

### Access Control List Entries

- [SecACLCreateWithSimpleContents(_:_:_:_:_:)](security/secaclcreatewithsimplecontents(_:_:_:_:_:).md)
- [SecACLRemove(_:)](security/secaclremove(_:).md)
- [ACL Authorization Keys](security/acl-authorization-keys.md)
- [SecKeychainPromptSelector](security/seckeychainpromptselector.md)
- [SecACL](security/secacl.md)
- [SecACLGetTypeID()](security/secaclgettypeid().md)

### Access Control List Configuration

- [SecACLCopyContents(_:_:_:_:)](security/secaclcopycontents(_:_:_:_:).md)
- [SecACLSetContents(_:_:_:_:)](security/secaclsetcontents(_:_:_:_:).md)
- [SecACLCopyAuthorizations(_:)](security/secaclcopyauthorizations(_:).md)
- [SecACLUpdateAuthorizations(_:_:)](security/secaclupdateauthorizations(_:_:).md)

### Trusted Applications

- [SecTrustedApplicationCreateFromPath(_:_:)](security/sectrustedapplicationcreatefrompath(_:_:).md)
- [SecTrustedApplicationCopyData(_:_:)](security/sectrustedapplicationcopydata(_:_:).md)
- [SecTrustedApplicationSetData(_:_:)](security/sectrustedapplicationsetdata(_:_:).md)
- [SecTrustedApplication](security/sectrustedapplication.md)
- [SecTrustedApplicationGetTypeID()](security/sectrustedapplicationgettypeid().md)

### Keychain Item Access

- [SecKeychainItemSetAccess(_:_:)](security/seckeychainitemsetaccess(_:_:).md)
- [SecKeychainItemCopyAccess(_:_:)](security/seckeychainitemcopyaccess(_:_:).md)