File 70-nikau.rules of Package nikau

/*
 * nikau services must be stoppable without password, so just allow
 * stopping.
 * The root service name contains the numerical UID, which we don't
 * have available in polkit. So we can only guess that this service
 * belongs to the current user.
 * Only on single-user workstations AUTH_SELF can be used for starting
 * the service.
 */

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.systemd1.manage-units"
        && subject.active && subject.local) {

        const nik_re = /nikau-(client|server)@[0-9]+\.service/;
        if (nik_re.test(action.lookup("unit"))) {
                if (action.lookup("verb") == "stop") {
                        return polkit.Result.YES;
                } else {
                        return polkit.Result.AUTH_ADMIN;
                }
        }
    }
});