Alternate privilege lists/levels
You use alternate privilege lists and alternate privilege levels to specify that a daemon or interactive program should run with a different privilege, not the privilege that it gets out-of-the-box.
You use alternate privilege lists to list daemons or interactive programs that should run with a different privilege. For example, you would use Daemon Options > General Settings> Alternate Privilege Lists to list daemons that should have full or safe privileges, or daemons that should not run. In these generic lists, you can list daemons that do not have individual behavior controls in a policy. You can list any daemon running on a system.
You use alternate privilege levels to set the privilege of a specific daemon or interactive program that already has an individual behavior control in a policy. For example, you would use Process Sets > Daemon Options > Core OS Daemon Options > FTP daemon > Advanced Options > Alternate Privilege Level to set the privilege level (run with full privileges, run with safe privileges, or do not start) for the FTP daemon, which already has a behavior control in the Protection policy.
When you select an alternate privilege level for a daemon or interactive program, all other option settings for that daemon or interactive program are ignored. If you set multiple alternate privileges, the least restrictive privilege is used.
The Protection policy does not stop daemons or interactive programs that are already running. If a daemon or interactive program is already running when you apply a policy with the do not start option enabled, you must manually stop the daemon or interactive program. Once the daemon or interactive program is stopped, the option prevents it from restarting.