I'd say it's usually on the packager (or caller) because specying privileges depends on the platform you run on, which is better known by the packager or caler