polkit(8) manpage for the object structure and available API. These examples are for polkit versions 106 and later, with the JS interpreter. They won't work with Debian's polkit v105.
If you don't know the action name, run
pkaction | grep cups
The possible results are
NO. Returning a result is final. Returning
nullwill continue checking other rules.
Put your rules in
/etc/polkit-1/rules.d/*.rules. (You can check everything in one giant addRule, or you can have a separate file and separate addRule for each program; it doesn't matter.)
To test your rules, use
pkcheck -u -p $$ -a org.freedesktop.packagekit.upgrade-system
This is probably the most annoying thing in OpenSUSE - asking for a password for network, hdd mount, etc. Every now and then I have to search for these rules. Thanks for posting them as a gist!