From cfd691fd35b9f36978f6f4cbd55616dab2821684 Mon Sep 17 00:00:00 2001 From: Annie_wang Date: Mon, 20 Feb 2023 16:57:16 +0800 Subject: [PATCH] update docs Signed-off-by: Annie_wang --- .../security/accesstoken-guidelines.md | 50 +-- .../security/accesstoken-overview.md | 146 ++++---- .../security/permission-list.md | 318 ++++++++++-------- 3 files changed, 277 insertions(+), 237 deletions(-) diff --git a/en/application-dev/security/accesstoken-guidelines.md b/en/application-dev/security/accesstoken-guidelines.md index a7cf725d83..eab4a6b119 100644 --- a/en/application-dev/security/accesstoken-guidelines.md +++ b/en/application-dev/security/accesstoken-guidelines.md @@ -4,10 +4,10 @@ The [Ability Privilege Level (APL)](accesstoken-overview.md#app-apls) of an application can be **normal**, **system_basic**, or **system_core**. The default APL is **normal**. The [permission types](accesstoken-overview.md#permission-types) include **system_grant** and **user_grant**. For details about the permissions for applications, see the [Application Permission List](permission-list.md). -This document describes: +This document describes the following operations: - [Declaring Permissions in the Configuration File](#declaring-permissions-in-the-configuration-file) -- [Declaring Permissions in the ACL](#declaring-permissions-in-the-acl) +- [Declaring the ACL](#declaring-the-acl) - [Requesting User Authorization](#requesting-user-authorization) - [Pre-Authorizing user_grant Permissions](#pre-authorizing-user_grant-permissions) @@ -15,22 +15,22 @@ This document describes: During the development, you need to declare the permissions required by your application one by one in the project configuration file. The application cannot obtain the permissions that are not declared in the configuration file. OpenHarmony provides two application models: FA model and stage model. For more information, see [Application Models](../application-models/application-model-description.md). The application bundle and configuration file vary with the application model. -> **NOTE**
The default APL of an application is **normal**. When an application needs the **system_basic** or **system_core** APL, you must declare the permission in the configuration file and the [Access Control List (ACL)](#declaring-permissions-in-the-acl). +> **NOTE**
The default APL of an application is **normal**. When an application of the **normal** APL needs a permission of the **system_basic** or **system_core** level, you must declare the permission in the configuration file and the [Access Control List (ACL)](#declaring-the-acl). The following table describes the fields in the configuration file. | Field | Mandatory| Description | | --------- | -------- | ------------------------------------------------------------ | | name | Yes | Name of the permission. | -| reason | No | Reason for requesting the permission.
This field is mandatory when the requested permission needs user authorization (user_grant).| -| usedScene | No | Application scenario of the permission.
This field is mandatory when the requested permission needs user authorization (user_grant).| +| reason | No | Reason for requesting the permission.
This field is mandatory when a user_grant permission is required.| +| usedScene | No | Application scenario of the permission.
This field is mandatory when a user_grant permission is required.| | abilities | No | Abilities that require the permission. The value is an array.
**Applicable model**: stage| | ability | No | Abilities that require the permission. The value is an array.
**Applicable model**: FA| | when | No | Time when the permission is used.
Value:
- **inuse**: The permission applies only to a foreground application.
- **always**: The permission applies to both the foreground and background applications.| ### Stage Model -If the application is based on the stage model, declare the permissions in [**module.json5**](../quick-start/module-configuration-file.md). +If your application is based on the stage model, declare the required permissions in [**module.json5**](../quick-start/module-configuration-file.md). ```json { @@ -64,7 +64,7 @@ If the application is based on the stage model, declare the permissions in [**mo ### FA Model -If the application is based on the FA model, declare the required permissions in **config.json**. +If your application is based on the FA model, declare the required permissions in **config.json**. ```json { @@ -96,11 +96,11 @@ If the application is based on the FA model, declare the required permissions in } ``` -## Declaring Permissions in the ACL +## Declaring the ACL -If an application of the **normal** level requires permissions corresponding to the **system_basic** or **system_core** level, you need to declare the required permissions in the ACL. +If an application of the **normal** APL requires permissions of the **system_basic** or **system_core** level, you need to declare the required permissions in the ACL. -For example, if an application needs to access audio files of a user and capture screenshots, it requires the **ohos.permission.WRITE_AUDIO** permission (of the **system_basic** level) and the **ohos.permission.CAPTURE_SCREEN** permission (of the **system_core** level). In this case, you need to add the related permissions to the **acl** field in the [HarmonyAppProvision configuration file](app-provision-structure.md). +For example, if an application needs to access audio files of a user and capture screenshots, it requires the **ohos.permission.WRITE_AUDIO** permission (of the **system_basic** level) and the **ohos.permission.CAPTURE_SCREEN** permission (of the **system_core** level). In this case, you need to add the required permissions to the **acls** field in the [HarmonyAppProvision configuration file](app-provision-structure.md). ```json { @@ -116,11 +116,11 @@ For example, if an application needs to access audio files of a user and capture ## Requesting User Authorization -If an application needs to access user privacy information or use system abilities, for example, accessing location or calendar information or using the camera to take photos or record videos, it must request the permission from users. A permission verification is performed first to determine whether the current invoker has the corresponding permission. If the application has not obtained that permission, a dialog box will be displayed to request user authorization. The following figure shows an example. +If an application needs to access user privacy information or use system abilities, for example, accessing location or calendar information or using the camera to take photos or record videos, it must request the permission from the user. A permission verification is performed first to determine whether the current caller has the corresponding permission. If the application has not obtained that permission, a dialog box will be displayed to request user authorization. The following figure shows an example. ![](figures/permission-read_calendar.png) -> **NOTE**
Each time before an API protected by a permission is accessed, [**requestPermissionsFromUser()**](../reference/apis/js-apis-abilityAccessCtrl.md#requestpermissionsfromuser9) will be called to request user authorization. After a permission is dynamically granted, the user may revoke the permission. Therefore, the previously granted authorization status cannot be persistent. +> **NOTE**
Each time before an API protected by a user_grant permission is accessed, [**requestPermissionsFromUser()**](../reference/apis/js-apis-abilityAccessCtrl.md#requestpermissionsfromuser9) will be called to request user authorization. After the permission is dynamically granted, the user may revoke the authorization. Therefore, the previously granted authorization status cannot be persistent. ### Stage Model @@ -128,7 +128,7 @@ Example: Request the permission for an application to access calendar informatio 1. Apply for the **ohos.permission.READ_CALENDAR** permission. For details, see [Declaring Permissions in the Configuration File](#declaring-permissions-in-the-configuration-file). -2. Call [**requestPermissionsFromUser()**](../reference/apis/js-apis-abilityAccessCtrl.md#requestpermissionsfromuser9) in the **onWindowStageCreate()** callback of the UIAbility to dynamically apply for the permission, or request user authorization on the UI based on service requirements. The return value of [requestPermissionsFromUser()](../reference/apis/js-apis-abilityAccessCtrl.md#requestpermissionsfromuser9) indicates whether the application has the target permission. If yes, the target API can be called normally. +2. Call [**requestPermissionsFromUser()**](../reference/apis/js-apis-abilityAccessCtrl.md#requestpermissionsfromuser9) in the **onWindowStageCreate()** callback of the UIAbility to dynamically apply for the permission, or request user authorization on the UI based on service requirements. The return value of [requestPermissionsFromUser()](../reference/apis/js-apis-abilityAccessCtrl.md#requestpermissionsfromuser9) indicates whether the application has the permission. If yes, the target API can be called. Request user authorization in UIAbility. @@ -149,11 +149,14 @@ Example: Request the permission for an application to access calendar informatio atManager.requestPermissionsFromUser(context, permissions).then((data) => { console.info(`[requestPermissions] data: ${JSON.stringify(data)}`); let grantStatus: Array = data.authResults; - if (grantStatus[0] === -1) { - // The authorization fails. - } else { - // The authorization is successful. + let length: number = grantStatus.length; + for (let i = 0; i < length; i++) { + if (grantStatus[i] !== 0) { + // The authorization fails. + return; + } } + // The authorization is successful. }).catch((err) => { console.error(`[requestPermissions] Failed to start request permissions. Error: ${JSON.stringify(err)}`); }) @@ -179,11 +182,14 @@ Example: Request the permission for an application to access calendar informatio atManager.requestPermissionsFromUser(context, permissions).then((data) => { console.info(`[requestPermissions] data: ${JSON.stringify(data)}`); let grantStatus: Array = data.authResults; - if (grantStatus[0] === -1) { - // The authorization fails. - } else { - // The authorization is successful. + let length: number = grantStatus.length; + for (let i = 0; i < length; i++) { + if (grantStatus[i] !== 0) { + // The authorization fails. + return; + } } + // The authorization is successful. }).catch((err) => { console.error(`[requestPermissions] Failed to start request permissions. Error: ${JSON.stringify(err)}`); }) @@ -217,7 +223,7 @@ reqPermissions() { } ``` ## Pre-Authorizing user_grant Permissions -By default, the **user_grant** permissions must be dynamically authorized by the user through a dialog box. However, for pre-installed applications, you can pre-authorize the permissions, for example, the **ohos.permission.MICROPHONE** permission for camera applications, in the [**install_list_permission.json**] file to prevent the user authorization dialog box from being displayed. The [**install_list_permissions.json** file](https://gitee.com/openharmony/vendor_hihope/blob/master/rk3568/preinstall-config/install_list_permissions.json) is in the **/system/etc/app/** directory on a device. When the device is started, the **install_list_permissions.json** file is loaded. When the application is installed, the **user_grant** permissions in the file are granted. The **install_list_permissions.json** file contains the following fields: +By default, the **user_grant** permissions must be dynamically authorized by the user through a dialog box. However, for pre-installed applications, you can pre-authorize the permissions, for example, the **ohos.permission.MICROPHONE** permission for camera applications, in the [**install_list_permission.json**](https://gitee.com/openharmony/vendor_hihope/blob/master/rk3568/preinstall-config/install_list_permissions.json) file to prevent the user authorization dialog box from being displayed. The **install_list_permissions.json** file is in the **/system/etc/app/** directory on a device. When the device is started, the **install_list_permissions.json** file is loaded. When the application is installed, the user_grant permissions in the file are granted. The **install_list_permissions.json** file contains the following fields: - **bundleName**: bundle name of the application. - **app_signature**: fingerprint information of the application. For details, see **Configuration in install_list_capability.json** in [Application Privilege Configuration Guide](../../device-dev/subsystems/subsys-app-privilege-config-guide.md). diff --git a/en/application-dev/security/accesstoken-overview.md b/en/application-dev/security/accesstoken-overview.md index e42543a356..b6eb50c0d3 100644 --- a/en/application-dev/security/accesstoken-overview.md +++ b/en/application-dev/security/accesstoken-overview.md @@ -1,56 +1,56 @@ # Access Control (Permission) Overview -OpenHarmony AccessTokenManager (ATM) implements unified app permission management based on access tokens. +OpenHarmony AccessTokenManager (ATM) implements unified management of application permissions based on access tokens. -By default, apps can access limited system resources. However, to provide extended features, an app may need to access excess data (including personal data) and functions of the system or another app. The system or apps must also explicitly share their data or functions through APIs. OpenHarmony uses app permissions to perform access control and prevent improper or malicious use of these data or functions. +By default, applications can access limited system resources. However, to provide extended features, an application may need to access excess data (including personal data) and functions of the system or another application. The system or applications must also explicitly share their data or functions through APIs. OpenHarmony uses application permissions to prevent unauthorized access to and improper or malicious use of these data or functions. -App permissions are used to protect the following objects: +Application permissions are used to protect the following objects: -- Data: personal data (such as photos, contacts, calendar, and location), device data (such as device ID, camera, and microphone), and app data. -- Functions: device functions (such as making calls, sending SMS messages, and connecting to the Internet) and app functions (such as displaying windows and creating shortcuts). +- Data: includes personal data (such as photos, contacts, calendar, and location), device data (such as device ID, camera, and microphone), and application data. +- Functions: includes device functions (such as making calls, sending SMS messages, and connecting to the Internet) and application functions (such as displaying windows and creating shortcuts). -Without the required permissions, an app cannot access or perform operations on the target object. Permissions must be clearly defined for apps. With well-defined app permissions, the system can standardize app behavior and protect user privacy. Before an app accesses the target object, the target object verifies the app's permissions and denies the access if the app does not have required permissions. +Without the required permissions, an application cannot access or perform operations on the target object. Permissions must be clearly defined for applications. With well-defined application permissions, the system can standardize application behavior and protect user privacy. Before an application accesses an object, the object verifies the application's permissions and denies the access if the application does not have required permissions. -Currently, ATM verifies app permissions based on the token identity (token ID). A token ID identifies an app. ATM manages app permissions based on the app's token ID. +Currently, ATM verifies application permissions based on the token identity (token ID). A token ID identifies an application. ATM manages application permissions based on the application's token ID. ## Basic Principles for Permission Management -Observe the following principles for permission management: +Observe the following permission management principles: -- Provide clear description about the functions and scenarios for each permission required by the app so that users can clearly know why and when these permissions are needed. Do not induce or mislead users' authorization. The permissions on an app must comply with the description provided in the app. -- Use the principle of least authority for user permissions. Allow only necessary permissions for service functions. -- When an app is started for the first time, avoid frequently displaying dialog boxes to request multiple permissions. Allow the app to apply for the permission only when it needs to use the corresponding service function. -- If a user rejects to grant a permission, the user can still use functions irrelevant to this permission and can register and access the app. +- Provide clear description about the usage and scenario for each permission required by the application so that user can clearly know why and when these permissions are needed. Do not induce or mislead users' authorization. The permissions on an application must comply with the description provided in the application. +- Use the principle of least authority for application permissions. Allow only necessary permissions for service functions. +- When an application is started for the first time, avoid frequently displaying dialog boxes to request multiple permissions. Allow the application to apply for the permission only when it needs to use the corresponding service function. +- If a user rejects to grant a permission, the user can still use functions irrelevant to this permission and can register and access the application. - Provide no more message if a user rejects the authorization required by a function. Provide onscreen instructions to direct the user to grant the permission in **Settings** if the user triggers this function again or needs to use this function. -- All the permissions granted to apps must come from the [App Permission List](permission-list.md). Custom permissions are not allowed currently. +- All the permissions for applications must come from the [Application Permission List](permission-list.md). Custom permissions are not allowed currently. ## Permission Workflows -### Permission Application and Use +### Applying for and Using a Permission -Determine the permissions required by an app, and declare the required permissions in the app installation package. +Determine the permissions required by an application, and declare the required permissions in the application installation package. Determine whether the required permissions need user authorization. If yes, display a dialog box dynamically to request user authorization. -After the user grants the permissions, the app can access the data or perform the operation. +After the user grants the permissions, the application can access the data or perform the operation. The figure below illustrates the process. ![](figures/permission-workflow.png) -1. Refer to the figure below to determine whether an app can apply for a permission. +1. Refer to the figure below to determine whether an application can apply for a permission. ![](figures/permission-application-process.png) -1. See [Permission Levels](#permission-levels) for details about the mapping between the application Ability Privilege Level (APL) and permission level. +1. See [Permission Levels](#permission-levels) for details about the mapping between the application Ability Privilege Level (APL) and the permission level. 2. The permission authorization modes include user_grant (permission granted by the user) and system_grant (permission granted by the system). For details, see [Permission Types](#permission-types). -3. A low-APL app can have a high-level permission by using the Access Control List (ACL). For details, see [ACL](#acl). +3. A low-APL application can have a high-level permission by using the Access Control List (ACL). For details, see [ACL](#acl). -### Permission Verification -To protect sensitive data and eliminate security threads on core abilities, you can use the permissions in the [App Permission List](permission-list.md) to protect an API from unauthorized calling. Each time before the API is called, a permission verification is performed to check whether the caller has the required permission. +### Verifying a Permission +To protect sensitive data and eliminate security threats on core abilities, you can use the permissions in the [Application Permission List](permission-list.md) to protect an API from unauthorized calling. Each time before the API is called, a verification is performed to check whether the caller has the required permission. The API can be called only after the permission verification is successful. @@ -58,37 +58,37 @@ The figure below shows the permission verification process. ![](figures/permission-verify-process.png) -1: An app permission can be used to control the access to an API that has sensitive data involved or security threats on the core abilities. +1: An application permission can be used to control the access to an API that has sensitive data involved or security threats on core abilities. -2: The API can be protected by a permission in the [ACL](#acl). For example, if contact information is involved in an API provided by an app, you can use the contact-related permissions to protect the API. +2: The API can be protected by a permission in the [ACL](#acl). For example, if contact information is involved in an API provided by an application, you can use a contact-related permission to protect the API. -3: Use **verifyAccessToken()** to check whether the caller has the required permission. For details, see [Permission Verification Guide](permission-verify-guidelines.md). +3: Use **checkAccessToken()** to check whether the caller has the required permission. For details, see [API Access Permission Verification](permission-verify-guidelines.md). ## Permission Levels ATM defines different permission levels based on the sensitivity of the data involved or the security threat of the ability to protect user privacy. -### App APLs +### Application APLs -The APL defines the priority of the app permission requested. Apps of different APLs can apply for permissions of different levels. +The APL defines the priority for an application to apply for permissions. Applications of different APLs can apply for permissions of different levels. -The table below describes the APLs. +The following table describes the APLs. | APL | Description | | ---------------- | -------------------------------------- | -| system_core | The apps of this level provide core abilities of the operating system (OS). | -| system_basic| The apps of this level provide basic system services. | -| Normal | The apps of this level are normal apps. | +| system_core | Application that provides core abilities of the operating system (OS). | +| system_basic| Application that provides basic system services. | +| normal | Normal application. | -The default APL of apps is **normal**. +The default APL of applications is **normal**. -To set an app's APL to **system_basic** or **system_core**, declare the APL in the **apl** field of **bundle-info** in the app's profile when developing the app's installation package. +To set an application's APL to **system_basic** or **system_core**, set the **apl** field under **bundle-info** in the application's profile when developing the application's installation package. -Then, use the [hapsigner](hapsigntool-overview.md) tool to generate a certificate or use DevEco Studio to [have your app automatically signed](https://developer.harmonyos.com/en/docs/documentation/doc-guides/ohos-auto-configuring-signature-information-0000001271659465#section161281722111). +Then, use the [hapsigner](hapsigntool-overview.md) tool to generate a certificate or use DevEco Studio to [have your application automatically signed](https://developer.harmonyos.com/en/docs/documentation/doc-guides/ohos-auto-configuring-signature-information-0000001271659465#section161281722111). -> **CAUTION**
The method of changing the app's APL in its profile applies only to the app or service in debug mode. For a commercial app, apply for a release certificate and profile in the corresponding app market. +> **CAUTION**
The method of changing the application's APL in its profile applies only to the application or service in debug mode. For a commercial application, apply for a release certificate and profile in the corresponding application market. -The following is an example. +Example: This example shows only the modification of the **apl** field. Set other fields based on your requirements. For details about the fields in the profile, see [HarmonyAppProvision Configuration File](app-provision-structure.md). @@ -107,25 +107,25 @@ This example shows only the modification of the **apl** field. Set other fields ### Levels of Permissions -The permissions open to apps vary with the permission level. The permission levels include the following in ascending order of seniority. +The permissions available to applications vary with the APL. The permission levels include the following in ascending order of seniority. - **normal** - The normal permission allows access to common system resources beyond the default rules. Access to these system resources (including data and functions) has minor risks on user privacy and other apps. + The **normal** permission allows access to common system resources beyond the default rules. Access to these resources (including data and functions) has minor risks on user privacy and other applications. - The permissions of this level are available only to apps of the normal or higher APL. + The permissions of this level are available to applications of the **normal** or higher APL. - **system_basic** - The system_basic permission allows access to resources related to basic OS services. The basic services are basic functions provided or preconfigured by the system, such as system settings and identity authentication. Access to these resources may have considerable risks to user privacy and other apps. + The **system_basic** permission allows access to resources related to basic OS services. The basic services are basic functions provided or preconfigured by the system, such as system settings and identity authentication. Access to these resources may have considerable risks to user privacy and other applications. - The permissions of this level are available only to apps of the system_basic or system_core APL. + The permissions of this level are available only to applications of the **system_basic** or **system_core** APL. - **system_core** - The system_core permission allows access to core resources of the OS. These resources are underlying core services of the system. If these resources are corrupted, the OS cannot run properly. + The **system_core** permission allows access to core resources of the OS. These resources are underlying core services of the system. If these resources are corrupted, the OS cannot run properly. - The system_core permissions are not open to third-party apps. + The **system_core** permissions are not available to third-party applications. ## Permission Types @@ -133,80 +133,80 @@ Permissions can be classified into the following types based on the authorizatio - **system_grant** - The app permissions are authorized by the system. Apps granted with this type of permission cannot access user or device sensitive information, and the operations allowed for them have minor impact on the system or other apps. + A system_grant permission is authorized by the system. The application with this type of permission cannot access user or device sensitive information, and the operations allowed have minor impact on the system or other applications. - For a system_grant app, the system automatically grants the required permissions to the app when the app is installed. The system_grant permission list must be presented to users on the details page of the app in the app market. + For an application with a system_grant permission, the system automatically grants the permission to the application when the application is installed. The system_grant permission list must be presented to users on the details page of the application in the application market. - **user_grant** - The app permissions must be authorized by users. Apps granted with this type of permissions may access user or device sensitive information, and the operations allowed for them may have a critical impact on the system or other apps. + A user_grant permission must be authorized by the user. An application with this type of permission may access user or device sensitive information, and the operations allowed may have a critical impact on the system or other applications. - This type of permissions must be declared in the app installation package and authorized by users dynamically during the running of the app. The app has the permission only after user authorization. + This type of permissions must be declared in the application installation package and authorized by users dynamically during the running of the application. The application has the permission only after user authorization. - For example, as described in the [App Permission List](permission-list.md), the permissions for microphones and cameras are user_grant. The list provides reasons for using the permissions. + For example, the permissions for microphones and cameras in the [Application Permission List](permission-list.md) are user_grant. The list provides information about when to use the permissions. - The user_grant permission list must also be presented on the details page of the app in the app market. + The user_grant permission list must also be presented on the details page of each application in the application market. ### Authorization Processes -As described in [Permission Workflows](permission-workflows), you need to first apply for the required permissions for the app. +As described in [Permission Workflows](permission-workflows), you need to first apply for the required permissions for your application. -- Applying for permissions +- Applying for a permission - You need to [declare the required permissions](accesstoken-guidelines.md#declaring-permissions) in the configuration file. + You need to [declare the required permissions](accesstoken-guidelines.md#declaring-permissions-in-the-configuration-file) in the configuration file. -- Authorizing permissions +- Authorizing a permission - - The system_grant permission will be pre-granted when the app is installed. - - For a user_grant permission, you need to trigger user authorization through a dialog box during the running of the app. For details, see [Requesting User Authorization](#requesting-user-authorization). + - The system_grant permission is pre-granted when the application is installed. + - For a user_grant permission, you need to trigger user authorization through a dialog box during the running of the application. For details, see [Requesting User Authorization](#requesting-user-authorization). ### Requesting User Authorization The procedure is as follows: -1. In the configuration file, declare the permissions required by the app. For details, see [Access Control Development](accesstoken-guidelines.md). +1. In the configuration file, declare the permissions required by your application. For details, see [Permission Application Guide](accesstoken-guidelines.md). -2. Associate the target objects in the app with the related permissions. This allows the users to know the operations that need user authorization. +2. Associate the target object in the application with the required permission. This allows the users to know the operations that need user authorization. -3. Use an API to dynamically trigger a dialog box requesting user authorization when the target object is accessed. The API first checks whether the user has granted the required permissions to the app. If yes, the app can access the data or perform the operation. Otherwise, a dialog box will be displayed to request user authorization. +3. Use an API to dynamically trigger a dialog box for requesting user authorization when the target object is accessed. This API first checks whether the user has granted the permission required. If no, a dialog box will be displayed to request authorization from the user. -4. Check the user authorization result. Allow the subsequent operation only after the user has granted the permissions to the app. +4. Check the user authorization result. Allow the subsequent operations only after the user has granted the permission to the application successfully. -**Precautions** +**Caution** -- Check the app's permission each time before the operation requiring the permission is performed. -- To check whether a user has granted specific permissions to an app, use the [verifyAccessToken](../reference/apis/js-apis-abilityAccessCtrl.md) API. This API returns [PERMISSION_GRANTED](../reference/apis/js-apis-abilityAccessCtrl.md) or [PERMISSION_DENIED](../reference/apis/js-apis-abilityAccessCtrl.md). For details about the sample code, see [Access Control Development](accesstoken-guidelines.md). -- Users must be able to understand and control the authorization of user_grant permissions. During the running process, the app requiring user authorization must proactively call an API to dynamically request the authorization. Then, the system displays a dialog box asking the user to grant the permission. The user will determine whether to grant the permission based on the running context of the app. -- The permission authorized is not permanent, because the user may revoke the authorization at any time. Therefore, even if the user has granted the requested permission to the app, the app must check for the permission before calling the API controlled by this permission. +- Each time before the operation that requires the target permission is performed, the application must check whether the permission is available. +- To check whether a user has granted a permission to your application, use [checkAccessToken()](../reference/apis/js-apis-abilityAccessCtrl.md#checkaccesstoken9). This API returns [PERMISSION_GRANTED](../reference/apis/js-apis-abilityAccessCtrl.md) or [PERMISSION_DENIED](../reference/apis/js-apis-abilityAccessCtrl.md). For details about the sample code, see [Permission Application Guide](accesstoken-guidelines.md). +- Users must be able to understand and control the authorization of user_grant permissions. For a user_grant permission, the application must proactively call an API to dynamically request user authorization. Then, the system displays a dialog box asking the user to grant the permission. The user then determines whether to grant the permission. +- The user may revoke the permission authorization at any time. Therefore, each time before an API associated with a user_grant permission is called, the application must check whether the permission is available. ## ACL -As described above, permission levels and app APLs are in one-to-one correspondence. In principle, **an app with a lower APL cannot apply for higher permissions by default**. +Permission levels and application APLs are in one-to-one correspondence. In principle, an application with a lower APL cannot apply for higher-level permissions by default. -The ACL makes low-APL apps have high-level permissions. +The ACL makes low-APL applications have high-level permissions. -**Example** +**Example:** -The APL of app A is **normal**. App A needs to have permission B (system_basic level) and permission C (normal level). +The APL of application A is **normal**. Application A needs to have permission B (system_basic level) and permission C (normal level). -In this case, you can use the ACL to grant permission B to app A. +In this case, you can use the ACL to grant permission B to application A. For details, see [Using the ACL](#using-the-acl). -For details about whether a permission can be enabled through the ACL, see [App Permission List](permission-list.md). +For details about whether a permission can be enabled via the ACL, see [Application Permission List](permission-list.md). ### Using the ACL -If the permission required by an app has a higher level than the app's APL, you can use the ACL to grant the permission required. +If the permission required by an application has a higher level than the application's APL, you can use the ACL to grant the permission required. In addition to the preceding [authorization processes](#authorization-processes), you must declare the ACL. -That is, you need to declare the required permissions in the app's configuration file, and [declare the ACL](accesstoken-guidelines.md#declaring-permissions-in-the-acl) in the app's profile. The subsequent steps of authorization are the same. +That is, you need to declare the required permissions in the application's configuration file, and [declare the ACL](accesstoken-guidelines.md#declaring-the-acl) in the application's profile. The subsequent authorization steps are the same. **NOTICE** -When developing an app installation package, you must declare the ACL in the **acls** field in the app's profile. Then, use the [hapsigner](hapsigntool-overview.md) tool to generate a certificate. +When developing an application installation package, you must declare the ACL in the **acls** field in the application's profile. Then, use the [hapsigner](hapsigntool-overview.md) tool to generate a certificate. -> **CAUTION**
The method of changing the app's APL in its profile applies only to the app or service in debug mode. For a commercial app, apply for a release certificate and profile in the corresponding app market. +> **CAUTION**
The method of changing the application's APL in its profile applies only to the application or service in debug mode. For a commercial application, apply for a release certificate and profile in the corresponding application market. ```json { diff --git a/en/application-dev/security/permission-list.md b/en/application-dev/security/permission-list.md index e77eac675a..743d89654a 100644 --- a/en/application-dev/security/permission-list.md +++ b/en/application-dev/security/permission-list.md @@ -12,7 +12,7 @@ Allows an application to access Bluetooth configurations. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.DISCOVER_BLUETOOTH @@ -22,7 +22,7 @@ Allows an application to configure Bluetooth on a device, initiate or cancel a s **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.MANAGE_BLUETOOTH @@ -32,7 +32,7 @@ Allows an application to pair with a Bluetooth device and access the contacts or **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.INTERNET @@ -42,7 +42,7 @@ Allows an application to access the Internet. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.MODIFY_AUDIO_SETTINGS @@ -52,7 +52,7 @@ Allows an application to modify audio settings. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.ACCESS_NOTIFICATION_POLICY @@ -66,13 +66,13 @@ Allows an application to access the notification policy on the device. ## ohos.permission.GET_TELEPHONY_STATE -Allows an application to read telephony information. +Allows an application to read telephony information. **Permission level**: system_basic **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.REQUIRE_FORM @@ -82,7 +82,7 @@ Allows an application to obtain the Ability Form. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.GET_NETWORK_INFO @@ -92,7 +92,7 @@ Allows an application to obtain network information. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.PLACE_CALL @@ -102,7 +102,7 @@ Allows an application to make calls without starting the dialer. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.SET_NETWORK_INFO @@ -112,7 +112,7 @@ Allows an application to set data network information. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.REMOVE_CACHE_FILES @@ -122,7 +122,7 @@ Allows the cache of the specified application to be cleared. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.REBOOT @@ -132,7 +132,7 @@ Allows an application to restart the device. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.RUNNING_LOCK @@ -142,7 +142,7 @@ Allows an application to obtain a running lock. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.SET_TIME @@ -152,7 +152,7 @@ Allows an application to set the system time. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.SET_TIME_ZONE @@ -162,7 +162,7 @@ Allows an application to set the system time zone. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.DOWNLOAD_SESSION_MANAGER @@ -172,7 +172,7 @@ Allows an application to manage the download sessions. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.COMMONEVENT_STICKY @@ -182,7 +182,7 @@ Allows an application to publish sticky common events. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.SYSTEM_FLOAT_WINDOW @@ -192,7 +192,7 @@ Allows an application to be displayed in a floating window on top of other appli **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.PRIVACY_WINDOW @@ -202,7 +202,7 @@ Allows an application to set screens that cannot be captured or recorded. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.POWER_MANAGER @@ -212,7 +212,7 @@ Allows an application to hibernate or wake up the device by calling an API. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.REFRESH_USER_ACTION @@ -222,7 +222,7 @@ Allows an application to reset the screen timeout counter when a user input even **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.POWER_OPTIMIZATION @@ -232,7 +232,7 @@ Allows an application to set power saving mode, obtain configuration of the powe **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.REBOOT_RECOVERY @@ -242,7 +242,7 @@ Allows an application to restart the device and enter Recovery mode. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.MANAGE_LOCAL_ACCOUNTS @@ -252,7 +252,7 @@ Allows an application to manage local user accounts. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS @@ -262,7 +262,7 @@ Allows access between multiple OS accounts. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.VIBRATE @@ -272,7 +272,7 @@ Allows an application to control vibration. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.CONNECT_IME_ABILITY @@ -282,7 +282,7 @@ Allows an application to bind the InputMethodAbility. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.CONNECT_SCREEN_SAVER_ABILITY @@ -292,7 +292,7 @@ Allows an application to bind the ScreenSaverAbility. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.READ_SCREEN_SAVER @@ -302,7 +302,7 @@ Allows an application to read the screen saver information, such as the list of **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.WRITE_SCREEN_SAVER @@ -312,7 +312,7 @@ Allows an application to modify the screen saver information, such as activating **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.SET_WALLPAPER @@ -322,7 +322,7 @@ Allows an application to set a static wallpaper. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.GET_WALLPAPER @@ -332,7 +332,7 @@ Allows an application to read wallpaper files. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.CHANGE_ABILITY_ENABLED_STATE @@ -342,7 +342,7 @@ Allows an application to enable or disable an application or component. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.ACCESS_MISSIONS @@ -352,7 +352,7 @@ Allows an application to obtain information about running processes and mission **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.CLEAN_BACKGROUND_PROCESSES @@ -362,7 +362,7 @@ Allows an application to clear background processes based on their bundle names. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.KEEP_BACKGROUND_RUNNING @@ -372,7 +372,7 @@ Allows a Service ability to keep running in the background. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.UPDATE_CONFIGURATION @@ -382,7 +382,7 @@ Allows an application to modify system settings. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.UPDATE_SYSTEM @@ -392,7 +392,7 @@ Allows an application to call the update APIs. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.FACTORY_RESET @@ -402,7 +402,7 @@ Allows an application to call the API for restoring factory settings. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.GRANT_SENSITIVE_PERMISSIONS @@ -412,7 +412,7 @@ Allows an application to grant sensitive permissions to other applications. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.REVOKE_SENSITIVE_PERMISSIONS @@ -422,7 +422,7 @@ Allows an application to revoke sensitive permissions granted to other applicati **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.GET_SENSITIVE_PERMISSIONS @@ -432,7 +432,7 @@ Allows an application to obtain the sensitive permissions that have been granted **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION @@ -442,7 +442,7 @@ Allows an application to set attributes for the applications of other users. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.LISTEN_BUNDLE_CHANGE @@ -452,7 +452,7 @@ Allows an application to listen for changes in other applications, when they are **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.GET_BUNDLE_INFO @@ -462,7 +462,7 @@ Allows an application to query information about another application. This permi **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.GET_BUNDLE_INFO_PRIVILEGED @@ -472,7 +472,7 @@ Allows an application to query information about other applications at the same **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.ACCELEROMETER @@ -482,7 +482,7 @@ Allows an application to read data from an acceleration sensor, uncalibrated acc **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.GYROSCOPE @@ -492,7 +492,7 @@ Allows an application to read data from a gyroscope sensor or uncalibrated gyros **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.INSTALL_BUNDLE @@ -502,7 +502,7 @@ Allows an application to install and uninstall other applications. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.MANAGE_SHORTCUTS @@ -512,7 +512,7 @@ Allows an application to query and start shortcuts of other applications. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.radio.ACCESS_FM_AM @@ -522,7 +522,7 @@ Allows an application to access radio services. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.SET_TELEPHONY_STATE @@ -532,7 +532,7 @@ Allows an application to change the telephone state. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.START_ABILITIES_FROM_BACKGROUND @@ -542,7 +542,7 @@ Allows an application to start or access other components from the background. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.BUNDLE_ACTIVE_INFO @@ -552,7 +552,7 @@ Allows an application to obtain how long other applications have been running in **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.START_INVISIBLE_ABILITY @@ -562,7 +562,7 @@ Allows an application to start an invisible ability. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.sec.ACCESS_UDID @@ -572,7 +572,7 @@ Allows an application to obtain the Unified Device ID (UDID). **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.LAUNCH_DATA_PRIVACY_CENTER @@ -582,7 +582,7 @@ Allows an application to switch from its privacy statement page to the Data & **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.MANAGE_MEDIA_RESOURCES @@ -592,7 +592,7 @@ Allows an application to obtain and manage the media resources that are being pl **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.PUBLISH_AGENT_REMINDER @@ -602,7 +602,7 @@ Allows an application to use agent-powered reminders. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.CONTROL_TASK_SYNC_ANIMATOR @@ -612,7 +612,7 @@ Allows an application to use sync task animations. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.INPUT_MONITORING @@ -622,7 +622,7 @@ Allows an application to listen for input events. Only the system signed applica **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.MANAGE_MISSIONS @@ -632,7 +632,7 @@ Allows an application to manage ability mission stacks. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.NOTIFICATION_CONTROLLER @@ -642,7 +642,7 @@ Allows an application to manage and subscribe to notifications. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.CONNECTIVITY_INTERNAL @@ -652,7 +652,7 @@ Allows an application to obtain network information or modify network settings. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.SET_ABILITY_CONTROLLER @@ -662,7 +662,7 @@ Allows an application to set the start and stop of an ability. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.USE_USER_IDM @@ -692,7 +692,7 @@ Allows an application to use biometric recognition for identity authentication. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.ACCESS_USER_AUTH_INTERNAL @@ -722,7 +722,7 @@ Allows an application to obtain running status information. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.CLEAN_APPLICATION_DATA @@ -732,7 +732,7 @@ Allows an application to clear application data. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.RUNNING_STATE_OBSERVER @@ -742,7 +742,7 @@ Allows an application to observe the application status. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.CAPTURE_SCREEN @@ -752,7 +752,7 @@ Allows an application to take screenshots. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.GET_WIFI_INFO @@ -762,7 +762,7 @@ Allows an application to obtain WLAN information. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.GET_WIFI_INFO_INTERNAL @@ -772,7 +772,7 @@ Allows an application to obtain WLAN information. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.SET_WIFI_INFO @@ -782,7 +782,7 @@ Allows an application to set WLAN devices. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.GET_WIFI_PEERS_MAC @@ -792,7 +792,7 @@ Allows an application to obtain the MAC address of the peer WLAN or Bluetooth de **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.GET_WIFI_LOCAL_MAC @@ -802,7 +802,7 @@ Allows an application to obtain the MAC address of the local WLAN or Bluetooth d **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.GET_WIFI_CONFIG @@ -812,7 +812,7 @@ Allows an application to obtain the WLAN configuration. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.SET_WIFI_CONFIG @@ -822,7 +822,7 @@ Allows an application to set WLAN information. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.MANAGE_WIFI_CONNECTION @@ -832,7 +832,7 @@ Allows an application to manage WLAN connections. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.MANAGE_WIFI_HOTSPOT @@ -842,7 +842,7 @@ Allows an application to enable or disable Wi-Fi hotspots. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.GET_ALL_APP_ACCOUNTS @@ -862,7 +862,7 @@ Allows an application to modify security settings. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.READ_DFX_SYSEVENT @@ -872,7 +872,7 @@ Allows an application to access system event logging data. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.MANAGE_ENTERPRISE_DEVICE_ADMIN @@ -882,7 +882,7 @@ Allows an application to activate the device administrator app. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.SET_ENTERPRISE_INFO @@ -892,7 +892,7 @@ Allows the device administrator application to set enterprise information. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.ENTERPRISE_SUBSCRIBE_MANAGED_EVENT @@ -902,7 +902,7 @@ Allows the device administrator application to subscribe to management events. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.ENTERPRISE_SET_DATETIME @@ -912,7 +912,7 @@ Allows the device administrator application to set the system time. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.ENTERPRISE_GET_DEVICE_INFO @@ -922,7 +922,7 @@ Allows the device administrator application to obtain device information. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.ENTERPRISE_RESET_DEVICE @@ -932,7 +932,37 @@ Allows the device administrator to restore factory settings of the device. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE + +## ohos.permission.ENTERPRISE_SET_WIFI + +Allows a device administrator application to set and query Wi-Fi information. + +**Permission level**: system_basic + +**Authorization mode**: system_grant + +**Enable via ACL**: TRUE + +## ohos.permission.ENTERPRISE_GET_NETWORK_INFO + +Allows a device administrator application to query network information. + +**Permission level**: system_basic + +**Authorization mode**: system_grant + +**Enable via ACL**: TRUE + +## ohos.permission.ENTERPRISE_SET_ACCOUNT_POLICY + +Allows the device administrator to set account management policies. + +**Permission level**: system_basic + +**Authorization mode**: system_grant + +**Enable via ACL**: TRUE ## ohos.permission.NFC_TAG @@ -962,7 +992,7 @@ Allows a system application to access the permission usage records. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.NOTIFICATION_AGENT_CONTROLLER @@ -972,7 +1002,7 @@ Allows an application to send agent-powered notifications. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.ANSWER_CALL @@ -982,7 +1012,7 @@ Allows an application to answer incoming calls. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.READ_CALENDAR @@ -992,7 +1022,7 @@ Allows an application to read calendar data. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.READ_CALL_LOG @@ -1002,7 +1032,7 @@ Allows an application to read call logs. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.READ_CELL_MESSAGES @@ -1012,7 +1042,7 @@ Allows an application to read cell broadcast messages received by the device. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.READ_CONTACTS @@ -1022,7 +1052,7 @@ Allows an application to read contacts. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.READ_MESSAGES @@ -1032,7 +1062,7 @@ Allows an application to read messages. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.RECEIVE_MMS @@ -1042,7 +1072,7 @@ Allows an application to receive and process MMS messages. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.RECEIVE_SMS @@ -1052,7 +1082,7 @@ Allows an application to receive and process SMS messages. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.RECEIVE_WAP_MESSAGES @@ -1062,7 +1092,7 @@ Allows an application to receive and process WAP messages. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.MICROPHONE @@ -1072,7 +1102,7 @@ Allows an application to access the microphone. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.SEND_MESSAGES @@ -1082,7 +1112,7 @@ Allows an application to send messages. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.WRITE_CALENDAR @@ -1092,7 +1122,7 @@ Allows an application to add, remove, and modify calendar events. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.WRITE_CALL_LOG @@ -1102,7 +1132,7 @@ Allows an application to add, remove, and modify call logs. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.WRITE_CONTACTS @@ -1112,7 +1142,7 @@ Allows an application to add, remove, and modify contacts. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.DISTRIBUTED_DATASYNC @@ -1122,7 +1152,7 @@ Allows an application to exchange data with other devices. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.MANAGE_VOICEMAIL @@ -1132,7 +1162,7 @@ Allows an application to leave messages in the voice mailbox. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.LOCATION_IN_BACKGROUND @@ -1152,7 +1182,9 @@ Allows an application to obtain the device location. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE + +**Application conditions**: The applications developed using the SDK earlier than API version 9 can directly apply for this permission. For the applications developed using the SDK of API version 9 or later, you need to apply for [ohos.permission.APPROXIMATELY_LOCATION](#ohospermissionapproximately_location) before applying for this permission. ## ohos.permission.APPROXIMATELY_LOCATION @@ -1164,6 +1196,8 @@ Allows an application to obtain the approximate location information of a device **Enable ACL**: FALSE +**Application conditions**: Only applications developed using the SDK of API version 9 or later can apply for this permission. + ## ohos.permission.MEDIA_LOCATION Allows an application to access geographical locations in the user's media file. @@ -1172,7 +1206,7 @@ Allows an application to access geographical locations in the user's media file. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.CAMERA @@ -1182,7 +1216,7 @@ Allows an application to use the camera to take photos and record videos. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.READ_MEDIA @@ -1192,7 +1226,7 @@ Allows an application to read media files from the user's external storage. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.WRITE_MEDIA @@ -1202,7 +1236,7 @@ Allows an application to read media files from and write media files into the us **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.ACTIVITY_MOTION @@ -1212,7 +1246,7 @@ Allows an application to read the current workout status of the user. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.READ_HEALTH_DATA @@ -1222,7 +1256,7 @@ Allows an application to read the health data of the user. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.GET_DEFAULT_APPLICATION @@ -1232,7 +1266,7 @@ Allows an application to query default applications. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.SET_DEFAULT_APPLICATION @@ -1242,7 +1276,7 @@ Allows an application to set and reset default applications. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.MANAGE_DISPOSED_APP_STATUS @@ -1252,7 +1286,7 @@ Allows an application to set and query the application handling state. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.ACCESS_IDS @@ -1262,7 +1296,7 @@ Allows an application to query the unique identifier of a device. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.DUMP @@ -1272,7 +1306,7 @@ Allows the basic system information and SA service information to be exported. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.DISTRIBUTED_SOFTBUS_CENTER @@ -1292,7 +1326,7 @@ Allows configuration and management of the permissions on .dlp files. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.PROVISIONING_MESSAGE @@ -1302,7 +1336,7 @@ Allows the Super Device Manager application to be activated. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.ACCESS_SYSTEM_SETTINGS @@ -1312,7 +1346,7 @@ Allows an application to access or start system **Settings**. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.READ_IMAGEVIDEO @@ -1322,7 +1356,7 @@ Allows access to the images or video files in a user's directory. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.READ_AUDIO @@ -1332,7 +1366,7 @@ Allows access to the audio files in a user's directory. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.READ_DOCUMENT @@ -1342,7 +1376,7 @@ Allows access to the files in a user's directory. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.WRITE_IMAGEVIDEO @@ -1352,7 +1386,7 @@ Allows modification to the images or video files in a user's directory. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.WRITE_AUDIO @@ -1362,7 +1396,7 @@ Audio modification to the audio files in a user's directory. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.WRITE_DOCUMENT @@ -1372,7 +1406,7 @@ Allows modification to the files in a user's directory. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.ABILITY_BACKGROUND_COMMUNICATION @@ -1382,7 +1416,7 @@ Allows an application to start the Ability component in the background and estab **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.securityguard.REPORT_SECURITY_INFO @@ -1402,7 +1436,7 @@ Allows an application to obtain the device risk status. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.securityguard.REQUEST_SECURITY_EVENT_INFO @@ -1462,7 +1496,7 @@ Allows an application to to access the Ability of the push service. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.RECEIVER_STARTUP_COMPLETED @@ -1492,7 +1526,7 @@ Allows an application to read all calendar information. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.WRITE_WHOLE_CALENDAR @@ -1502,7 +1536,7 @@ Allows an application to add, remove, or change all calendar events. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.ENFORCE_USER_IAM @@ -1512,7 +1546,7 @@ Allows an SA to delete user information from the IAM subsystem without a token. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.ACCESS_AUTH_RESPOOL @@ -1522,7 +1556,7 @@ Allows an SA to register the executor. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.MOUNT_UNMOUNT_MANAGER @@ -1552,7 +1586,7 @@ Allows an application to call the interfaces of the Storage Manager service to q **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.BACKUP @@ -1562,7 +1596,7 @@ Allows an application to have backup and restore capabilities. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.FILE_ACCESS_MANAGER @@ -1572,7 +1606,7 @@ Allows a file management application to access user data files through the FAF. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.MANAGE_AUDIO_CONFIG @@ -1582,7 +1616,7 @@ Allows an application to to mute microphones globally. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.ACCESS_SERVICE_DM @@ -1592,7 +1626,7 @@ Allows a system application to obtain the authentication and networking capabili **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.APP_TRACKING_CONSENT @@ -1602,7 +1636,7 @@ Allows an application to read advertisement identifiers. **Authorization mode**: user_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.RUN_ANY_CODE @@ -1612,7 +1646,7 @@ Allows an application to run unsigned code. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.PUBLISH_SYSTEM_COMMON_EVENT @@ -1622,7 +1656,7 @@ Allows an application to publish system common events. **Authorization mode**: system_grant -**Enable ACL**: TRUE +**Enable via ACL**: TRUE ## ohos.permission.ACCESS_SCREEN_LOCK_INNER -- GitLab