diff --git a/introspection/nm-ip4-config.xml b/introspection/nm-ip4-config.xml
index f21a2e4a0e..6a8750b7f6 100644
--- a/introspection/nm-ip4-config.xml
+++ b/introspection/nm-ip4-config.xml
@@ -30,6 +30,14 @@
     <property name="WinsServers" type="au" access="read">
       <tp:docstring>The Windows Internet Name Service servers associated with the connection.  Each address is in network byte order.</tp:docstring>
     </property>
+
+    <signal name="PropertiesChanged">
+      <arg name="properties" type="a{sv}" tp:type="String_Variant_Map">
+        <tp:docstring>
+          A dictionary mapping property names to variant boxed values
+        </tp:docstring>
+      </arg>
+    </signal>
   </interface>
 </node>
 
diff --git a/introspection/nm-ip6-config.xml b/introspection/nm-ip6-config.xml
index dcec871391..55c519e701 100644
--- a/introspection/nm-ip6-config.xml
+++ b/introspection/nm-ip6-config.xml
@@ -20,6 +20,14 @@
     <property name="Searches" type="as" access="read">
       <tp:docstring>A list of dns searches.</tp:docstring>
     </property>
+
+    <signal name="PropertiesChanged">
+      <arg name="properties" type="a{sv}" tp:type="String_Variant_Map">
+        <tp:docstring>
+          A dictionary mapping property names to variant boxed values
+        </tp:docstring>
+      </arg>
+    </signal>
   </interface>
 </node>
 
diff --git a/introspection/nm-manager.xml b/introspection/nm-manager.xml
index 2d4cbf8269..27610cfc9b 100644
--- a/introspection/nm-manager.xml
+++ b/introspection/nm-manager.xml
@@ -209,6 +209,7 @@
 
     <method name="SetLogging">
       <annotation name="org.freedesktop.DBus.GLib.CSymbol" value="impl_manager_set_logging"/>
+      <annotation name="org.freedesktop.DBus.GLib.Async" value=""/>
       <tp:docstring>
         Set logging verbosity and which operations are logged.
       </tp:docstring>
diff --git a/introspection/nm-settings.xml b/introspection/nm-settings.xml
index 7e02db7216..e36f206db9 100644
--- a/introspection/nm-settings.xml
+++ b/introspection/nm-settings.xml
@@ -23,6 +23,7 @@
         Retrieve the object path of a connection, given that connection's UUID.
       </tp:docstring>
       <annotation name="org.freedesktop.DBus.GLib.CSymbol" value="impl_settings_get_connection_by_uuid"/>
+      <annotation name="org.freedesktop.DBus.GLib.Async" value=""/>
       <arg name="uuid" type="s" direction="in">
         <tp:docstring>
           The UUID to find the connection object path for.
diff --git a/policy/org.freedesktop.NetworkManager.policy.in.in b/policy/org.freedesktop.NetworkManager.policy.in.in
index ea3777a470..2de066c1e0 100644
--- a/policy/org.freedesktop.NetworkManager.policy.in.in
+++ b/policy/org.freedesktop.NetworkManager.policy.in.in
@@ -85,8 +85,7 @@
     <_description>Modify personal network connections</_description>
     <_message>System policy prevents modification of personal network settings</_message>
     <defaults>
-      <allow_inactive>no</allow_inactive>
-      <allow_active>yes</allow_active>
+      <allow_any>yes</allow_any>
     </defaults>
   </action>
 
@@ -94,8 +93,7 @@
     <_description>Modify network connections for all users</_description>
     <_message>System policy prevents modification of network settings for all users</_message>
     <defaults>
-      <allow_inactive>no</allow_inactive>
-      <allow_active>@NM_MODIFY_SYSTEM_POLICY@</allow_active>
+      <allow_any>@NM_MODIFY_SYSTEM_POLICY@</allow_any>
     </defaults>
   </action>
 
@@ -103,8 +101,7 @@
     <_description>Modify persistent system hostname</_description>
     <_message>System policy prevents modification of the persistent system hostname</_message>
     <defaults>
-      <allow_inactive>no</allow_inactive>
-      <allow_active>auth_admin_keep</allow_active>
+      <allow_any>auth_admin_keep</allow_any>
     </defaults>
   </action>
 
diff --git a/src/nm-ip4-config.c b/src/nm-ip4-config.c
index c7c00a41d7..b9ce0cbadb 100644
--- a/src/nm-ip4-config.c
+++ b/src/nm-ip4-config.c
@@ -1688,5 +1688,7 @@ nm_ip4_config_class_init (NMIP4ConfigClass *config_class)
 
 	g_object_class_install_properties (object_class, LAST_PROP, obj_properties);
 
-	dbus_g_object_type_install_info (G_TYPE_FROM_CLASS (config_class), &dbus_glib_nm_ip4_config_object_info);
+	nm_dbus_manager_register_exported_type (nm_dbus_manager_get (),
+	                                        G_TYPE_FROM_CLASS (config_class),
+	                                        &dbus_glib_nm_ip4_config_object_info);
 }
diff --git a/src/nm-ip6-config.c b/src/nm-ip6-config.c
index 6e9f1f2558..178f0b51b1 100644
--- a/src/nm-ip6-config.c
+++ b/src/nm-ip6-config.c
@@ -1509,6 +1509,7 @@ nm_ip6_config_class_init (NMIP6ConfigClass *config_class)
 
 	g_object_class_install_properties (object_class, LAST_PROP, obj_properties);
 
-	dbus_g_object_type_install_info (G_TYPE_FROM_CLASS (config_class),
-	                                 &dbus_glib_nm_ip6_config_object_info);
+	nm_dbus_manager_register_exported_type (nm_dbus_manager_get (),
+	                                        G_TYPE_FROM_CLASS (config_class),
+	                                        &dbus_glib_nm_ip6_config_object_info);
 }
diff --git a/src/nm-manager.c b/src/nm-manager.c
index 4fa1991225..e5a9702966 100644
--- a/src/nm-manager.c
+++ b/src/nm-manager.c
@@ -123,10 +123,10 @@ static gboolean impl_manager_get_state (NMManager *manager,
                                         guint32 *state,
                                         GError **error);
 
-static gboolean impl_manager_set_logging (NMManager *manager,
-                                          const char *level,
-                                          const char *domains,
-                                          GError **error);
+static void impl_manager_set_logging (NMManager *manager,
+                                      const char *level,
+                                      const char *domains,
+                                      DBusGMethodInvocation *context);
 
 static void impl_manager_get_logging (NMManager *manager,
                                       char **level,
@@ -4002,13 +4002,31 @@ impl_manager_get_state (NMManager *manager, guint32 *state, GError **error)
 	return TRUE;
 }
 
-static gboolean
+static void
 impl_manager_set_logging (NMManager *manager,
                           const char *level,
                           const char *domains,
-                          GError **error)
+                          DBusGMethodInvocation *context)
 {
-	if (nm_logging_setup (level, domains, NULL, error)) {
+	NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE (manager);
+	GError *error = NULL;
+	gulong caller_uid = G_MAXULONG;
+
+	if (!nm_dbus_manager_get_caller_info (priv->dbus_mgr, context, NULL, &caller_uid, NULL)) {
+		error = g_error_new_literal (NM_MANAGER_ERROR,
+		                             NM_MANAGER_ERROR_PERMISSION_DENIED,
+		                             "Failed to get request UID.");
+		goto done;
+	}
+
+	if (0 != caller_uid) {
+		error = g_error_new_literal (NM_MANAGER_ERROR,
+		                             NM_MANAGER_ERROR_PERMISSION_DENIED,
+		                             "Permission denied");
+		goto done;
+	}
+
+	if (nm_logging_setup (level, domains, NULL, &error)) {
 		char *new_level = nm_logging_level_to_string ();
 		char *new_domains = nm_logging_domains_to_string ();
 
@@ -4016,9 +4034,12 @@ impl_manager_set_logging (NMManager *manager,
 		             new_level, new_domains);
 		g_free (new_level);
 		g_free (new_domains);
-		return TRUE;
 	}
-	return FALSE;
+
+done:
+	if (error)
+		dbus_g_method_return_error (context, error);
+	g_clear_error (&error);
 }
 
 static void
diff --git a/src/nm-session-monitor-systemd.c b/src/nm-session-monitor-systemd.c
index 4d8edab2d2..f195c1e775 100644
--- a/src/nm-session-monitor-systemd.c
+++ b/src/nm-session-monitor-systemd.c
@@ -234,18 +234,19 @@ nm_session_monitor_uid_has_session (NMSessionMonitor *monitor,
                                     const char **out_user,
                                     GError **error)
 {
-	int ret;
+	int num_sessions;
 
 	if (!nm_session_uid_to_user (uid, out_user, error))
 		return FALSE;
 
-	ret = sd_uid_get_sessions (uid, FALSE, NULL) > 0;
-	if (ret < 0) {
+	/* Get all sessions (including inactive ones) for the user */
+	num_sessions = sd_uid_get_sessions (uid, 0, NULL);
+	if (num_sessions < 0) {
 		nm_log_warn (LOGD_CORE, "Failed to get systemd sessions for uid %d: %d",
-		             uid, ret);
+		             uid, num_sessions);
 		return FALSE;
 	}
-	return ret > 0 ? TRUE : FALSE;
+	return num_sessions > 0;
 }
 
 gboolean
@@ -253,13 +254,14 @@ nm_session_monitor_uid_active (NMSessionMonitor *monitor,
                                uid_t uid,
                                GError **error)
 {
-	int ret;
+	int num_sessions;
 
-	ret = sd_uid_get_sessions (uid, TRUE, NULL) > 0;
-	if (ret < 0) {
+	/* Get active sessions for the user */
+	num_sessions = sd_uid_get_sessions (uid, 1, NULL);
+	if (num_sessions < 0) {
 		nm_log_warn (LOGD_CORE, "Failed to get active systemd sessions for uid %d: %d",
-		             uid, ret);
+		             uid, num_sessions);
 		return FALSE;
 	}
-	return ret > 0 ? TRUE : FALSE;
+	return num_sessions > 0;
 }
diff --git a/src/org.freedesktop.NetworkManager.conf b/src/org.freedesktop.NetworkManager.conf
index db68374cc8..bdfe3e6773 100644
--- a/src/org.freedesktop.NetworkManager.conf
+++ b/src/org.freedesktop.NetworkManager.conf
@@ -26,93 +26,99 @@
                 <allow send_destination="org.freedesktop.NetworkManager.ssh"/>
                 <allow send_destination="org.freedesktop.NetworkManager.iodine"/>
         </policy>
-        <policy at_console="true">
-                <allow send_destination="org.freedesktop.NetworkManager"/>
-
-                <allow send_destination="org.freedesktop.NetworkManager"
-                       send_interface="org.freedesktop.DBus.Introspectable"/>
-
-                <allow send_destination="org.freedesktop.NetworkManager"
-                       send_interface="org.freedesktop.DBus.Properties"/>
-
-                <allow send_destination="org.freedesktop.NetworkManager"
-                       send_interface="org.freedesktop.NetworkManager"/>
-
-                <allow send_destination="org.freedesktop.NetworkManager"
-                       send_interface="org.freedesktop.NetworkManager.AccessPoint"/>
-
-                <allow send_destination="org.freedesktop.NetworkManager"
-                       send_interface="org.freedesktop.NetworkManager.Connection.Active"/>
-
-                <allow send_destination="org.freedesktop.NetworkManager"
-                       send_interface="org.freedesktop.NetworkManager.Device.Modem"/>
-
-                <allow send_destination="org.freedesktop.NetworkManager"
-                       send_interface="org.freedesktop.NetworkManager.Device.Wired"/>
-
-                <allow send_destination="org.freedesktop.NetworkManager"
-                       send_interface="org.freedesktop.NetworkManager.Device.Serial"/>
-
-                <allow send_destination="org.freedesktop.NetworkManager"
-                       send_interface="org.freedesktop.NetworkManager.Device.Wireless"/>
-
-                <allow send_destination="org.freedesktop.NetworkManager"
-                       send_interface="org.freedesktop.NetworkManager.Device"/>
-
-                <allow send_destination="org.freedesktop.NetworkManager"
-                       send_interface="org.freedesktop.NetworkManager.DHCP4Config"/>
-
-                <allow send_destination="org.freedesktop.NetworkManager"
-                       send_interface="org.freedesktop.NetworkManager.IP4Config"/>
-
-                <allow send_destination="org.freedesktop.NetworkManager"
-                       send_interface="org.freedesktop.NetworkManager.VPN.Connection"/>
-
-                <allow send_destination="org.freedesktop.NetworkManager"
-                       send_interface="org.freedesktop.NetworkManager.AgentManager"/>
-
-                <deny send_destination="org.freedesktop.NetworkManager"
-                       send_interface="org.freedesktop.NetworkManager"
-                       send_member="SetLogging"/>
-
-                <deny send_destination="org.freedesktop.NetworkManager"
-                       send_interface="org.freedesktop.NetworkManager"
-                       send_member="Sleep"/>
-
-                <deny send_destination="org.freedesktop.NetworkManager"
-                       send_interface="org.freedesktop.NetworkManager"
-                       send_member="sleep"/>
-
-                <deny send_destination="org.freedesktop.NetworkManager"
-                       send_interface="org.freedesktop.NetworkManager"
-                       send_member="wake"/>
-        </policy>
         <policy context="default">
                 <deny own="org.freedesktop.NetworkManager"/>
 
                 <deny send_destination="org.freedesktop.NetworkManager"/>
 
+		<!-- Basic D-Bus API stuff -->
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.DBus.Introspectable"/>
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.DBus.Properties"/>
+
+		<!-- Devices (read-only properties, no methods) -->
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.Device.Adsl"/>
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.Device.Bond"/>
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.Device.Bridge"/>
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.Device.Bluetooth"/>
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.Device.Wired"/>
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.Device.Generic"/>
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.Device.Gre"/>
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.Device.Infiniband"/>
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.Device.Macvlan"/>
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.Device.Modem"/>
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.Device.OlpcMesh"/>
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.Device.Team"/>
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.Device.Tun"/>
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.Device.Veth"/>
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.Device.Vlan"/>
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.WiMax.Nsp"/>
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.AccessPoint"/>
+
+		<!-- Devices (read-only, no security required) -->
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.Device.WiMax"/>
+
+		<!-- Devices (read/write, secured with PolicyKit) -->
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.Device.Wireless"/>
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.Device"/>
+
+		<!-- Core stuff (read-only properties, no methods) -->
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.Connection.Active"/>
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.DHCP4Config"/>
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.DHCP6Config"/>
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.IP4Config"/>
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.IP6Config"/>
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.VPN.Connection"/>
+
+		<!-- Core stuff (read/write, secured with PolicyKit) -->
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager"/>
                 <allow send_destination="org.freedesktop.NetworkManager"
                        send_interface="org.freedesktop.NetworkManager.Settings"/>
+                <allow send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.Settings.Connection"/>
 
+		<!-- Agents; secured with PolicyKit.  Any process can talk to
+		     the AgentManager API, but only NetworkManager can talk
+		     to the agents themselves. -->
                 <allow send_destination="org.freedesktop.NetworkManager"
                        send_interface="org.freedesktop.NetworkManager.AgentManager"/>
+                <deny send_interface="org.freedesktop.NetworkManager.SecretAgent"/>
 
-                <deny send_destination="org.freedesktop.NetworkManager"
-                       send_interface="org.freedesktop.NetworkManager"
-                       send_member="SetLogging"/>
-
-                <deny send_destination="org.freedesktop.NetworkManager"
-                       send_interface="org.freedesktop.NetworkManager"
-                       send_member="Sleep"/>
-
-                <deny send_destination="org.freedesktop.NetworkManager"
-                       send_interface="org.freedesktop.NetworkManager"
-                       send_member="sleep"/>
-
-                <deny send_destination="org.freedesktop.NetworkManager"
-                       send_interface="org.freedesktop.NetworkManager"
-                       send_member="wake"/>
+		<!-- Root-only functions -->
+                <deny send_interface="org.freedesktop.NetworkManager" send_member="SetLogging"/>
+                <deny send_interface="org.freedesktop.NetworkManager" send_member="Sleep"/>
+                <deny send_interface="org.freedesktop.NetworkManager.Settings" send_member="LoadConnections"/>
+                <deny send_interface="org.freedesktop.NetworkManager.Settings" send_member="ReloadConnections"/>
+                <deny send_interface="org.freedesktop.NetworkManager.VPN.Plugin"/>
+                <deny send_interface="org.freedesktop.NetworkManager.PPP"/>
         </policy>
 </busconfig>
 
diff --git a/src/settings/nm-settings.c b/src/settings/nm-settings.c
index 42c8b95f68..a9bb90599a 100644
--- a/src/settings/nm-settings.c
+++ b/src/settings/nm-settings.c
@@ -91,10 +91,10 @@ static gboolean impl_settings_list_connections (NMSettings *self,
                                                 GPtrArray **connections,
                                                 GError **error);
 
-static gboolean impl_settings_get_connection_by_uuid (NMSettings *self,
-                                                      const char *uuid,
-                                                      char **out_object_path,
-                                                      GError **error);
+static void impl_settings_get_connection_by_uuid (NMSettings *self,
+                                                  const char *uuid,
+                                                  char **out_object_path,
+                                                  DBusGMethodInvocation *context);
 
 static void impl_settings_add_connection (NMSettings *self,
                                           GHashTable *settings,
@@ -268,25 +268,53 @@ nm_settings_get_connection_by_uuid (NMSettings *self, const char *uuid)
 	return NULL;
 }
 
-static gboolean
+static void
 impl_settings_get_connection_by_uuid (NMSettings *self,
                                       const char *uuid,
                                       char **out_object_path,
-                                      GError **error)
+                                      DBusGMethodInvocation *context)
 {
 	NMSettingsConnection *connection = NULL;
+	NMAuthSubject *subject;
+	GError *error = NULL;
+	char *error_desc = NULL;
 
 	connection = nm_settings_get_connection_by_uuid (self, uuid);
-	if (connection)
-		*out_object_path = g_strdup (nm_connection_get_path (NM_CONNECTION (connection)));
-	else {
-		g_set_error_literal (error,
-		                     NM_SETTINGS_ERROR,
-		                     NM_SETTINGS_ERROR_INVALID_CONNECTION,
-		                     "No connection with the UUID was found.");
+	if (!connection) {
+		error = g_error_new_literal (NM_SETTINGS_ERROR,
+		                             NM_SETTINGS_ERROR_INVALID_CONNECTION,
+		                             "No connection with the UUID was found.");
+		goto error;
 	}
 
-	return !!connection;
+	subject = nm_auth_subject_new_from_context (context);
+	if (!subject) {
+		error = g_error_new_literal (NM_SETTINGS_ERROR,
+		                             NM_SETTINGS_ERROR_PERMISSION_DENIED,
+		                             "Unable to determine UID of request.");
+		goto error;
+	}
+
+	if (!nm_auth_uid_in_acl (NM_CONNECTION (connection),
+	                         nm_session_monitor_get (),
+	                         nm_auth_subject_get_uid (subject),
+	                         &error_desc)) {
+		error = g_error_new_literal (NM_SETTINGS_ERROR,
+		                             NM_SETTINGS_ERROR_PERMISSION_DENIED,
+		                             error_desc);
+		g_free (error_desc);
+		goto error;
+	}
+
+	g_clear_object (&subject);
+	dbus_g_method_return (context, nm_connection_get_path (NM_CONNECTION (connection)));
+	return;
+
+error:
+	g_assert (error);
+	dbus_g_method_return_error (context, error);
+	g_error_free (error);
+	g_clear_object (&subject);
 }
 
 static int