I fought this one for a long time. Here's what I learned before giving up (soft of):
ksadmin is "keystone admin" which is part of Google's autoupdating mechanism. If their software followed some kind of normal authoring process, we'd just be able to whitelist its location and add it to the allowed path(s), as you've started to do in your screenshot above. However, Google's engineers have decided to write their software so that ksadin spawns in a randomly-named folder in /tmp. Because it's a randomly-generated folder name, you can't provide an absolute path to the ksadmin instance. It's different, literally every single time.
Right, so I can just white-list /tmp then, right? You can try, but every time I've tried this, it hasn't worked for me.
In the end, I decided that it'd just be easier to tell GoogleUpdater to not check for updates every 15 minutes, as this check is what is triggering the admin password prompt. You can use the defaults write command to change this value:
defaults write com.google.Keystone.Agent checkInterval 604800
Where "604800" is the number of seconds in a week, so this will tell it to check every 7 days intend of every 15 min.
