[systemd-devel] Who has rights to override/ignore inhibitors?

[Jayson Willson]

Dear Lennart! That's what I have in my 
/usr/share/polkit-1/actions/org.freedesktop.login1.policy:

         <action id="org.freedesktop.login1.power-off-ignore-inhibit">
                 <description>Power off the system while an application 
asked to inhibit it</description>
                 <message>Authentication is required for powering off 
the system while an application asked to inhibit it.</message>
                 <defaults>
                         <allow_any>auth_admin_keep</allow_any>
                         <allow_inactive>auth_admin_keep</allow_inactive>
                         <allow_active>auth_admin_keep</allow_active>
                 </defaults>
                 <annotate 
key="org.freedesktop.policykit.imply">org.freedesktop.login1.power-off</annotate>
         </action>

It seems like authentication IS required to poweroff system, 
disregarding inhibitors. However, on my system, without any special 
polkit configuration standard user (which is in the groups mentioned 
above) can ignore inhibitors by running systemctl poweroff -i without 
being asked for authentication. Could you please help me to understand, 
why is it so, and what should be done in order to change such behaviour?
Yours, Jayson.