diff --git a/en/application-dev/security/accesstoken-guidelines.md b/en/application-dev/security/accesstoken-guidelines.md
index c2f85312639e4bdf40efd4a32dddacae9a51b9e4..eab4a6b1197305ced0964a23ef44957e20a955c5 100644
--- a/en/application-dev/security/accesstoken-guidelines.md
+++ b/en/application-dev/security/accesstoken-guidelines.md
@@ -2,70 +2,46 @@
## When to Use
-In this example, the application requires the **ohos.permission.PERMISSION1** and **ohos.permission.PERMISSION2** permissions to implement core functions.
+The [Ability Privilege Level (APL)](accesstoken-overview.md#app-apls) of an application can be **normal**, **system_basic**, or **system_core**. The default APL is **normal**. The [permission types](accesstoken-overview.md#permission-types) include **system_grant** and **user_grant**. For details about the permissions for applications, see the [Application Permission List](permission-list.md).
-- The ability privilege level (APL) of the application is **normal**.
-- The level of **ohos.permission.PERMISSION1** is **normal**, and the authorization mode is **system_grant**.
-- The level of **ohos.permission.PERMISSION2** is **system_basic**, and the authorization mode is **user_grant**.
+This document describes the following operations:
-> **CAUTION**
->
-> In this scenario, the required permissions include a **user_grant** permission. You can check whether the caller has the required permission through permission verification.
->
-> If the application has not obtained that permission, a dialog box will be displayed to request user authorization.
+- [Declaring Permissions in the Configuration File](#declaring-permissions-in-the-configuration-file)
+- [Declaring the ACL](#declaring-the-acl)
+- [Requesting User Authorization](#requesting-user-authorization)
+- [Pre-Authorizing user_grant Permissions](#pre-authorizing-user_grant-permissions)
-For details about the permissions for applications, see the [application permission list](permission-list.md).
+## Declaring Permissions in the Configuration File
-## Available APIs
+During the development, you need to declare the permissions required by your application one by one in the project configuration file. The application cannot obtain the permissions that are not declared in the configuration file. OpenHarmony provides two application models: FA model and stage model. For more information, see [Application Models](../application-models/application-model-description.md). The application bundle and configuration file vary with the application model.
-The following lists only the APIs used in this guide. The APIs used vary with the applicatin models. For more information, see [Examples](##Examples).
+> **NOTE**
The default APL of an application is **normal**. When an application of the **normal** APL needs a permission of the **system_basic** or **system_core** level, you must declare the permission in the configuration file and the [Access Control List (ACL)](#declaring-the-acl).
-### FA Model
-| API | Description |
-| ------------------------------------------------------------ | --------------------------------------------------- |
-| requestPermissionsFromUser(permissions: Array<string>, requestCallback: AsyncCallback<PermissionRequestResult>) : void; | Requests permissions from the user.|
-> For details, see [AbilityContext](../reference/apis/js-apis-ability-context.md).
+The following table describes the fields in the configuration file.
+| Field | Mandatory| Description |
+| --------- | -------- | ------------------------------------------------------------ |
+| name | Yes | Name of the permission. |
+| reason | No | Reason for requesting the permission.
This field is mandatory when a user_grant permission is required.|
+| usedScene | No | Application scenario of the permission.
This field is mandatory when a user_grant permission is required.|
+| abilities | No | Abilities that require the permission. The value is an array.
**Applicable model**: stage|
+| ability | No | Abilities that require the permission. The value is an array.
**Applicable model**: FA|
+| when | No | Time when the permission is used.
Value:
- **inuse**: The permission applies only to a foreground application.
- **always**: The permission applies to both the foreground and background applications.|
### Stage Model
-| API | Description |
-| ------------------------------------------------------------ | --------------------------------------------------- |
-| requestPermissionsFromUser(context: Context, permissions: Array<Permissions>, requestCallback: AsyncCallback<PermissionRequestResult>) : void; | Requests permissions from the user.|
-> For details, see [Ability Access Control](../reference/apis/js-apis-abilityAccessCtrl.md).
-
-## Declaring Permissions
-
-Declare the permissions required by the application one by one in the project configuration file. The application cannot obtain the permissions that are not declared in the configuration file. OpenHarmony provides two application models: FA model and stage model. For more information, see [Application Models](../application-models/application-model-description.md).
-
-The application bundle structure and configuration file vary with the application models.
-
-The following table describes the fields in the configuration files.
-
-| Field | Description |
-| --------- | ------------------------------------------------------------ |
-| name | Name of the permission. |
-| reason | Reason for requesting the permission. This field is mandatory for a user_grant permission.|
-| usedScene | Scenario of the permission. This field is mandatory for a user_grant permission.|
-| ability | Abilities that require the permission. The value is an array.
**Applicable model**: FA |
-| abilities | Abilities that require the permission. The value is an array.
**Applicable model**: stage |
-| when | Time when the permission is used. The value can be **inuse** (the permission can be used only in the foreground) or **always** (the permission can be used in foreground and background).|
-
-### FA Model
-
-For the applications based on the FA model, declare the required permissions in the **config.json** file.
-
-**Example**
+If your application is based on the stage model, declare the required permissions in [**module.json5**](../quick-start/module-configuration-file.md).
```json
{
"module" : {
- "reqPermissions":[
+ // ...
+ "requestPermissions":[
{
"name" : "ohos.permission.PERMISSION1",
"reason": "$string:reason",
"usedScene": {
- "ability": [
+ "abilities": [
"FormAbility"
],
"when":"inuse"
@@ -75,7 +51,7 @@ For the applications based on the FA model, declare the required permissions in
"name" : "ohos.permission.PERMISSION2",
"reason": "$string:reason",
"usedScene": {
- "ability": [
+ "abilities": [
"FormAbility"
],
"when":"always"
@@ -86,21 +62,20 @@ For the applications based on the FA model, declare the required permissions in
}
```
-### Stage Model
-
-For the applications based on the stage model, declare the required permissions in the **module.json5** file.
+### FA Model
-**Example**
+If your application is based on the FA model, declare the required permissions in **config.json**.
```json
{
"module" : {
- "requestPermissions":[
+ // ...
+ "reqPermissions":[
{
"name" : "ohos.permission.PERMISSION1",
"reason": "$string:reason",
"usedScene": {
- "abilities": [
+ "ability": [
"FormAbility"
],
"when":"inuse"
@@ -110,7 +85,7 @@ For the applications based on the stage model, declare the required permissions
"name" : "ohos.permission.PERMISSION2",
"reason": "$string:reason",
"usedScene": {
- "abilities": [
+ "ability": [
"FormAbility"
],
"when":"always"
@@ -121,110 +96,157 @@ For the applications based on the stage model, declare the required permissions
}
```
-## Declaring Permissions in the ACL
-
-The permission level of **ohos.permission.PERMISSION2** is **system_basic**, which is higher than the app's APL. In this case, use the ACL.
+## Declaring the ACL
-In addition to declaring all the permissions in the configuration file, you must declare the permissions whose levels are higher that the app's APL in the app's profile. For details about the fields in the profile, see [HarmonyAppProvision Configuration File](app-provision-structure.md).
+If an application of the **normal** APL requires permissions of the **system_basic** or **system_core** level, you need to declare the required permissions in the ACL.
-For example, declare the required permission in the **acls** field:
+For example, if an application needs to access audio files of a user and capture screenshots, it requires the **ohos.permission.WRITE_AUDIO** permission (of the **system_basic** level) and the **ohos.permission.CAPTURE_SCREEN** permission (of the **system_core** level). In this case, you need to add the required permissions to the **acls** field in the [HarmonyAppProvision configuration file](app-provision-structure.md).
```json
{
- "acls": {
- "allowed-acls": [
- "ohos.permission.PERMISSION2"
- ]
- }
+ // ...
+ "acls":{
+ "allowed-acls":[
+ "ohos.permission.WRITE_AUDIO",
+ "ohos.permission.CAPTURE_SCREEN"
+ ]
+ }
}
```
-## Applying for the user_grant Permission
+## Requesting User Authorization
-After the permissions are declared, the system grants the system_grant permission during the installation of the app. The user_grant permission must be authorized by the user.
+If an application needs to access user privacy information or use system abilities, for example, accessing location or calendar information or using the camera to take photos or record videos, it must request the permission from the user. A permission verification is performed first to determine whether the current caller has the corresponding permission. If the application has not obtained that permission, a dialog box will be displayed to request user authorization. The following figure shows an example.
-Therefore, before allowing the application to call the API protected by the **ohos.permission.PERMISSION2** permission, the system needs to verify whether the application has the permission to do so.
+
-If the verification result indicates that the application has the permission, the application can access the target API. Otherwise, the application needs to request user authorization and then proceeds based on the authorization result. For details, see [Access Control Overview](accesstoken-overview.md).
+> **NOTE**
Each time before an API protected by a user_grant permission is accessed, [**requestPermissionsFromUser()**](../reference/apis/js-apis-abilityAccessCtrl.md#requestpermissionsfromuser9) will be called to request user authorization. After the permission is dynamically granted, the user may revoke the authorization. Therefore, the previously granted authorization status cannot be persistent.
-> **CAUTION**
->
-> The permission authorized by a user is not permanent, because the user may revoke the authorization at any time. Each time before the API protected by the permission is called, call **requestPermissionsFromUser()** to request the permission.
+### Stage Model
-## Examples
+Example: Request the permission for an application to access calendar information.
+
+1. Apply for the **ohos.permission.READ_CALENDAR** permission. For details, see [Declaring Permissions in the Configuration File](#declaring-permissions-in-the-configuration-file).
+
+2. Call [**requestPermissionsFromUser()**](../reference/apis/js-apis-abilityAccessCtrl.md#requestpermissionsfromuser9) in the **onWindowStageCreate()** callback of the UIAbility to dynamically apply for the permission, or request user authorization on the UI based on service requirements. The return value of [requestPermissionsFromUser()](../reference/apis/js-apis-abilityAccessCtrl.md#requestpermissionsfromuser9) indicates whether the application has the permission. If yes, the target API can be called.
+
+ Request user authorization in UIAbility.
+
+ ```typescript
+ import UIAbility from '@ohos.app.ability.UIAbility';
+ import window from '@ohos.window';
+ import abilityAccessCtrl, { Permissions } from '@ohos.abilityAccessCtrl';
+
+ export default class EntryAbility extends UIAbility {
+ // ...
+
+ onWindowStageCreate(windowStage: window.WindowStage) {
+ // Main window is created, set main page for this ability
+ let context = this.context;
+ let atManager = abilityAccessCtrl.createAtManager();
+ // The return value of requestPermissionsFromUser determines whether to display a dialog box to request user authorization.
+ const permissions: Array = ['ohos.permission.READ_CALENDAR'];
+ atManager.requestPermissionsFromUser(context, permissions).then((data) => {
+ console.info(`[requestPermissions] data: ${JSON.stringify(data)}`);
+ let grantStatus: Array = data.authResults;
+ let length: number = grantStatus.length;
+ for (let i = 0; i < length; i++) {
+ if (grantStatus[i] !== 0) {
+ // The authorization fails.
+ return;
+ }
+ }
+ // The authorization is successful.
+ }).catch((err) => {
+ console.error(`[requestPermissions] Failed to start request permissions. Error: ${JSON.stringify(err)}`);
+ })
+
+ // ...
+ }
+ }
+ ```
+
+ Request user authorization on the UI.
+ ```typescript
+ import abilityAccessCtrl, { Permissions } from '@ohos.abilityAccessCtrl';
+ import common from '@ohos.app.ability.common';
+
+ @Entry
+ @Component
+ struct Index {
+ reqPermissions() {
+ let context = getContext(this) as common.UIAbilityContext;
+ let atManager = abilityAccessCtrl.createAtManager();
+ // The return value of requestPermissionsFromUser determines whether to display a dialog box to request user authorization.
+ const permissions: Array = ['ohos.permission.READ_CALENDAR'];
+ atManager.requestPermissionsFromUser(context, permissions).then((data) => {
+ console.info(`[requestPermissions] data: ${JSON.stringify(data)}`);
+ let grantStatus: Array = data.authResults;
+ let length: number = grantStatus.length;
+ for (let i = 0; i < length; i++) {
+ if (grantStatus[i] !== 0) {
+ // The authorization fails.
+ return;
+ }
+ }
+ // The authorization is successful.
+ }).catch((err) => {
+ console.error(`[requestPermissions] Failed to start request permissions. Error: ${JSON.stringify(err)}`);
+ })
+ }
+
+ // Page display.
+ build() {
+ // ...
+ }
+ }
+ ```
-The procedure for requesting user authorization is as follows:
+### FA Model
-1. Obtain the ability context.
-2. Call **requestPermissionsFromUser()** to request user authorization. The API determines whether to display a dialog box to request user authorization based on whether the application has the permission.
-3. Check whether the application has the permission based on the return value. If the application has the permission, the API can be invoked.
+Call [requestPermissionsFromUser()](../reference/apis/js-apis-inner-app-context.md#contextrequestpermissionsfromuser7) to request user authorization.
-### FA Model
```js
- // OnWindowStageCreate of the ability
- onWindowStageCreate() {
- var context = this.context
+import featureAbility from '@ohos.ability.featureAbility';
+
+reqPermissions() {
+ let context = featureAbility.getContext();
let array:Array = ["ohos.permission.PERMISSION2"];
// The return value of requestPermissionsFromUser determines whether to display a dialog box to request user authorization.
- context.requestPermissionsFromUser(array).then(function(data) {
- console.log("data type:" + typeof(data));
- console.log("data:" + data);
- console.log("data permissions:" + data.permissions);
- console.log("data result:" + data.authResults);
+ context.requestPermissionsFromUser(array, 1).then(function(data) {
+ console.log("data:" + JSON.stringify(data));
+ console.log("data permissions:" + JSON.stringify(data.permissions));
+ console.log("data result:" + JSON.stringify(data.authResults));
}, (err) => {
- console.error('Failed to start ability', err.code);
+ console.error('Failed to start ability', err.code);
});
- }
-
+}
```
-> **NOTE**
->
-> For details about how to use the APIs for the FA model, see [AbilityContext](../reference/apis/js-apis-ability-context.md).
-
-### Stage Model
-```js
- import abilityAccessCtrl from '@ohos.abilityAccessCtrl';
-
- // OnWindowStageCreate of the ability
- onWindowStageCreate() {
- var context = this.context
- var AtManager = abilityAccessCtrl.createAtManager();
- // The return value of requestPermissionsFromUser determines whether to display a dialog box to request user authorization.
- AtManager.requestPermissionsFromUser(context, ["ohos.permission.CAMERA"]).then((data) => {
- console.log("data type:" + typeof(data));
- console.log("data:" + data);
- console.log("data permissions:" + data.permissions);
- console.log("data result:" + data.authResults);
- }).catch((err) => {
- console.error('Failed to start ability', err.code);
- })
- }
+## Pre-Authorizing user_grant Permissions
+By default, the **user_grant** permissions must be dynamically authorized by the user through a dialog box. However, for pre-installed applications, you can pre-authorize the permissions, for example, the **ohos.permission.MICROPHONE** permission for camera applications, in the [**install_list_permission.json**](https://gitee.com/openharmony/vendor_hihope/blob/master/rk3568/preinstall-config/install_list_permissions.json) file to prevent the user authorization dialog box from being displayed. The **install_list_permissions.json** file is in the **/system/etc/app/** directory on a device. When the device is started, the **install_list_permissions.json** file is loaded. When the application is installed, the user_grant permissions in the file are granted. The **install_list_permissions.json** file contains the following fields:
-```
-> **NOTE**
-> For details about how to use the APIs for the stage model, see [Application Access Control](../reference/apis/js-apis-abilityAccessCtrl.md).
+- **bundleName**: bundle name of the application.
+- **app_signature**: fingerprint information of the application. For details, see **Configuration in install_list_capability.json** in [Application Privilege Configuration Guide](../../device-dev/subsystems/subsys-app-privilege-config-guide.md).
+- **permissions**: **name** specifies the name of the **user_grant** permission to pre-authorize. **userCancellable** specifies whether the user can revoke the pre-authorization. The value **true** means the user can revoke the pre-authorization; the value **false** means the opposite.
-## Pre-Authorizing user_grant Permissions
-By default, the **user_grant** permissions must be granted by the user through a dialog box. However, for pre-installed applications, such as screenshot applications, you can pre-authorize the permissions to prevent the user authorization dialog box from being displayed. The [**install_list_permissions.json** file](https://gitee.com/openharmony/vendor_hihope/blob/master/rk3568/preinstall-config/install_list_permissions.json) is in the **/system/etc/app/** directory on a device. When the device is started, the **install_list_permissions.json** file is loaded. When the application is installed, the **user_grant** permissions in the file are granted. The **install_list_permissions.json** file is available only for preinstalled applications.
-The **install_list_permissions.json** file contains the **bundleName**, **app_signature**, and **permissions** fields.
-1. The permissions here are user_grant permissions only. For details about the permissions, see the [Application Permission List](permission-list.md).
-2. **userCancellable** specifies whether the user can revoke the authorization. The value **true** means the user can revoke the authorization; the value **false** means the opposite.
+> **NOTE**
This file is available only for preinstalled applications.
```json
[
+ // ...
{
- "bundleName": "com.ohos.myapplication", // Bundle name.
- "app_signature":[], // Fingerprint information.
+ "bundleName": "com.example.myapplication", // Bundle Name.
+ "app_signature": ["****"], // Fingerprint information.
"permissions":[
{
- "name":"xxxx", // Permission name, which cannot be left blank.
- "userCancellable":false // The user cannot revoke the authorization. This field cannot be left blank.
+ "name": "ohos.permission.PERMISSION_X", // Permission to pre-authorize.
+ "userCancellable": false // The user cannot revoke the authorization.
},
{
- "name":"yyy", // Permission name, which cannot be left blank.
- "userCancellable":true // The user can revoke the authorization. This field cannot be left blank.
+ "name": "ohos.permission.PERMISSION_X", // Permission to pre-authorize.
+ "userCancellable": true // The user can revoke the authorization.
}
]
}
]
-```
\ No newline at end of file
+```
diff --git a/en/application-dev/security/accesstoken-overview.md b/en/application-dev/security/accesstoken-overview.md
index e42543a356fb71dee1c6eea6e84a2115ca1518be..b6eb50c0d37613e8bd7ee1ca98e1f86b9002ceea 100644
--- a/en/application-dev/security/accesstoken-overview.md
+++ b/en/application-dev/security/accesstoken-overview.md
@@ -1,56 +1,56 @@
# Access Control (Permission) Overview
-OpenHarmony AccessTokenManager (ATM) implements unified app permission management based on access tokens.
+OpenHarmony AccessTokenManager (ATM) implements unified management of application permissions based on access tokens.
-By default, apps can access limited system resources. However, to provide extended features, an app may need to access excess data (including personal data) and functions of the system or another app. The system or apps must also explicitly share their data or functions through APIs. OpenHarmony uses app permissions to perform access control and prevent improper or malicious use of these data or functions.
+By default, applications can access limited system resources. However, to provide extended features, an application may need to access excess data (including personal data) and functions of the system or another application. The system or applications must also explicitly share their data or functions through APIs. OpenHarmony uses application permissions to prevent unauthorized access to and improper or malicious use of these data or functions.
-App permissions are used to protect the following objects:
+Application permissions are used to protect the following objects:
-- Data: personal data (such as photos, contacts, calendar, and location), device data (such as device ID, camera, and microphone), and app data.
-- Functions: device functions (such as making calls, sending SMS messages, and connecting to the Internet) and app functions (such as displaying windows and creating shortcuts).
+- Data: includes personal data (such as photos, contacts, calendar, and location), device data (such as device ID, camera, and microphone), and application data.
+- Functions: includes device functions (such as making calls, sending SMS messages, and connecting to the Internet) and application functions (such as displaying windows and creating shortcuts).
-Without the required permissions, an app cannot access or perform operations on the target object. Permissions must be clearly defined for apps. With well-defined app permissions, the system can standardize app behavior and protect user privacy. Before an app accesses the target object, the target object verifies the app's permissions and denies the access if the app does not have required permissions.
+Without the required permissions, an application cannot access or perform operations on the target object. Permissions must be clearly defined for applications. With well-defined application permissions, the system can standardize application behavior and protect user privacy. Before an application accesses an object, the object verifies the application's permissions and denies the access if the application does not have required permissions.
-Currently, ATM verifies app permissions based on the token identity (token ID). A token ID identifies an app. ATM manages app permissions based on the app's token ID.
+Currently, ATM verifies application permissions based on the token identity (token ID). A token ID identifies an application. ATM manages application permissions based on the application's token ID.
## Basic Principles for Permission Management
-Observe the following principles for permission management:
+Observe the following permission management principles:
-- Provide clear description about the functions and scenarios for each permission required by the app so that users can clearly know why and when these permissions are needed. Do not induce or mislead users' authorization. The permissions on an app must comply with the description provided in the app.
-- Use the principle of least authority for user permissions. Allow only necessary permissions for service functions.
-- When an app is started for the first time, avoid frequently displaying dialog boxes to request multiple permissions. Allow the app to apply for the permission only when it needs to use the corresponding service function.
-- If a user rejects to grant a permission, the user can still use functions irrelevant to this permission and can register and access the app.
+- Provide clear description about the usage and scenario for each permission required by the application so that user can clearly know why and when these permissions are needed. Do not induce or mislead users' authorization. The permissions on an application must comply with the description provided in the application.
+- Use the principle of least authority for application permissions. Allow only necessary permissions for service functions.
+- When an application is started for the first time, avoid frequently displaying dialog boxes to request multiple permissions. Allow the application to apply for the permission only when it needs to use the corresponding service function.
+- If a user rejects to grant a permission, the user can still use functions irrelevant to this permission and can register and access the application.
- Provide no more message if a user rejects the authorization required by a function. Provide onscreen instructions to direct the user to grant the permission in **Settings** if the user triggers this function again or needs to use this function.
-- All the permissions granted to apps must come from the [App Permission List](permission-list.md). Custom permissions are not allowed currently.
+- All the permissions for applications must come from the [Application Permission List](permission-list.md). Custom permissions are not allowed currently.
## Permission Workflows
-### Permission Application and Use
+### Applying for and Using a Permission
-Determine the permissions required by an app, and declare the required permissions in the app installation package.
+Determine the permissions required by an application, and declare the required permissions in the application installation package.
Determine whether the required permissions need user authorization. If yes, display a dialog box dynamically to request user authorization.
-After the user grants the permissions, the app can access the data or perform the operation.
+After the user grants the permissions, the application can access the data or perform the operation.
The figure below illustrates the process.
-1. Refer to the figure below to determine whether an app can apply for a permission.
+1. Refer to the figure below to determine whether an application can apply for a permission.
-1. See [Permission Levels](#permission-levels) for details about the mapping between the application Ability Privilege Level (APL) and permission level.
+1. See [Permission Levels](#permission-levels) for details about the mapping between the application Ability Privilege Level (APL) and the permission level.
2. The permission authorization modes include user_grant (permission granted by the user) and system_grant (permission granted by the system). For details, see [Permission Types](#permission-types).
-3. A low-APL app can have a high-level permission by using the Access Control List (ACL). For details, see [ACL](#acl).
+3. A low-APL application can have a high-level permission by using the Access Control List (ACL). For details, see [ACL](#acl).
-### Permission Verification
-To protect sensitive data and eliminate security threads on core abilities, you can use the permissions in the [App Permission List](permission-list.md) to protect an API from unauthorized calling. Each time before the API is called, a permission verification is performed to check whether the caller has the required permission.
+### Verifying a Permission
+To protect sensitive data and eliminate security threats on core abilities, you can use the permissions in the [Application Permission List](permission-list.md) to protect an API from unauthorized calling. Each time before the API is called, a verification is performed to check whether the caller has the required permission.
The API can be called only after the permission verification is successful.
@@ -58,37 +58,37 @@ The figure below shows the permission verification process.
-1: An app permission can be used to control the access to an API that has sensitive data involved or security threats on the core abilities.
+1: An application permission can be used to control the access to an API that has sensitive data involved or security threats on core abilities.
-2: The API can be protected by a permission in the [ACL](#acl). For example, if contact information is involved in an API provided by an app, you can use the contact-related permissions to protect the API.
+2: The API can be protected by a permission in the [ACL](#acl). For example, if contact information is involved in an API provided by an application, you can use a contact-related permission to protect the API.
-3: Use **verifyAccessToken()** to check whether the caller has the required permission. For details, see [Permission Verification Guide](permission-verify-guidelines.md).
+3: Use **checkAccessToken()** to check whether the caller has the required permission. For details, see [API Access Permission Verification](permission-verify-guidelines.md).
## Permission Levels
ATM defines different permission levels based on the sensitivity of the data involved or the security threat of the ability to protect user privacy.
-### App APLs
+### Application APLs
-The APL defines the priority of the app permission requested. Apps of different APLs can apply for permissions of different levels.
+The APL defines the priority for an application to apply for permissions. Applications of different APLs can apply for permissions of different levels.
-The table below describes the APLs.
+The following table describes the APLs.
| APL | Description |
| ---------------- | -------------------------------------- |
-| system_core | The apps of this level provide core abilities of the operating system (OS). |
-| system_basic| The apps of this level provide basic system services. |
-| Normal | The apps of this level are normal apps. |
+| system_core | Application that provides core abilities of the operating system (OS). |
+| system_basic| Application that provides basic system services. |
+| normal | Normal application. |
-The default APL of apps is **normal**.
+The default APL of applications is **normal**.
-To set an app's APL to **system_basic** or **system_core**, declare the APL in the **apl** field of **bundle-info** in the app's profile when developing the app's installation package.
+To set an application's APL to **system_basic** or **system_core**, set the **apl** field under **bundle-info** in the application's profile when developing the application's installation package.
-Then, use the [hapsigner](hapsigntool-overview.md) tool to generate a certificate or use DevEco Studio to [have your app automatically signed](https://developer.harmonyos.com/en/docs/documentation/doc-guides/ohos-auto-configuring-signature-information-0000001271659465#section161281722111).
+Then, use the [hapsigner](hapsigntool-overview.md) tool to generate a certificate or use DevEco Studio to [have your application automatically signed](https://developer.harmonyos.com/en/docs/documentation/doc-guides/ohos-auto-configuring-signature-information-0000001271659465#section161281722111).
-> **CAUTION**
The method of changing the app's APL in its profile applies only to the app or service in debug mode. For a commercial app, apply for a release certificate and profile in the corresponding app market.
+> **CAUTION**
The method of changing the application's APL in its profile applies only to the application or service in debug mode. For a commercial application, apply for a release certificate and profile in the corresponding application market.
-The following is an example.
+Example:
This example shows only the modification of the **apl** field. Set other fields based on your requirements. For details about the fields in the profile, see [HarmonyAppProvision Configuration File](app-provision-structure.md).
@@ -107,25 +107,25 @@ This example shows only the modification of the **apl** field. Set other fields
### Levels of Permissions
-The permissions open to apps vary with the permission level. The permission levels include the following in ascending order of seniority.
+The permissions available to applications vary with the APL. The permission levels include the following in ascending order of seniority.
- **normal**
- The normal permission allows access to common system resources beyond the default rules. Access to these system resources (including data and functions) has minor risks on user privacy and other apps.
+ The **normal** permission allows access to common system resources beyond the default rules. Access to these resources (including data and functions) has minor risks on user privacy and other applications.
- The permissions of this level are available only to apps of the normal or higher APL.
+ The permissions of this level are available to applications of the **normal** or higher APL.
- **system_basic**
- The system_basic permission allows access to resources related to basic OS services. The basic services are basic functions provided or preconfigured by the system, such as system settings and identity authentication. Access to these resources may have considerable risks to user privacy and other apps.
+ The **system_basic** permission allows access to resources related to basic OS services. The basic services are basic functions provided or preconfigured by the system, such as system settings and identity authentication. Access to these resources may have considerable risks to user privacy and other applications.
- The permissions of this level are available only to apps of the system_basic or system_core APL.
+ The permissions of this level are available only to applications of the **system_basic** or **system_core** APL.
- **system_core**
- The system_core permission allows access to core resources of the OS. These resources are underlying core services of the system. If these resources are corrupted, the OS cannot run properly.
+ The **system_core** permission allows access to core resources of the OS. These resources are underlying core services of the system. If these resources are corrupted, the OS cannot run properly.
- The system_core permissions are not open to third-party apps.
+ The **system_core** permissions are not available to third-party applications.
## Permission Types
@@ -133,80 +133,80 @@ Permissions can be classified into the following types based on the authorizatio
- **system_grant**
- The app permissions are authorized by the system. Apps granted with this type of permission cannot access user or device sensitive information, and the operations allowed for them have minor impact on the system or other apps.
+ A system_grant permission is authorized by the system. The application with this type of permission cannot access user or device sensitive information, and the operations allowed have minor impact on the system or other applications.
- For a system_grant app, the system automatically grants the required permissions to the app when the app is installed. The system_grant permission list must be presented to users on the details page of the app in the app market.
+ For an application with a system_grant permission, the system automatically grants the permission to the application when the application is installed. The system_grant permission list must be presented to users on the details page of the application in the application market.
- **user_grant**
- The app permissions must be authorized by users. Apps granted with this type of permissions may access user or device sensitive information, and the operations allowed for them may have a critical impact on the system or other apps.
+ A user_grant permission must be authorized by the user. An application with this type of permission may access user or device sensitive information, and the operations allowed may have a critical impact on the system or other applications.
- This type of permissions must be declared in the app installation package and authorized by users dynamically during the running of the app. The app has the permission only after user authorization.
+ This type of permissions must be declared in the application installation package and authorized by users dynamically during the running of the application. The application has the permission only after user authorization.
- For example, as described in the [App Permission List](permission-list.md), the permissions for microphones and cameras are user_grant. The list provides reasons for using the permissions.
+ For example, the permissions for microphones and cameras in the [Application Permission List](permission-list.md) are user_grant. The list provides information about when to use the permissions.
- The user_grant permission list must also be presented on the details page of the app in the app market.
+ The user_grant permission list must also be presented on the details page of each application in the application market.
### Authorization Processes
-As described in [Permission Workflows](permission-workflows), you need to first apply for the required permissions for the app.
+As described in [Permission Workflows](permission-workflows), you need to first apply for the required permissions for your application.
-- Applying for permissions
+- Applying for a permission
- You need to [declare the required permissions](accesstoken-guidelines.md#declaring-permissions) in the configuration file.
+ You need to [declare the required permissions](accesstoken-guidelines.md#declaring-permissions-in-the-configuration-file) in the configuration file.
-- Authorizing permissions
+- Authorizing a permission
- - The system_grant permission will be pre-granted when the app is installed.
- - For a user_grant permission, you need to trigger user authorization through a dialog box during the running of the app. For details, see [Requesting User Authorization](#requesting-user-authorization).
+ - The system_grant permission is pre-granted when the application is installed.
+ - For a user_grant permission, you need to trigger user authorization through a dialog box during the running of the application. For details, see [Requesting User Authorization](#requesting-user-authorization).
### Requesting User Authorization
The procedure is as follows:
-1. In the configuration file, declare the permissions required by the app. For details, see [Access Control Development](accesstoken-guidelines.md).
+1. In the configuration file, declare the permissions required by your application. For details, see [Permission Application Guide](accesstoken-guidelines.md).
-2. Associate the target objects in the app with the related permissions. This allows the users to know the operations that need user authorization.
+2. Associate the target object in the application with the required permission. This allows the users to know the operations that need user authorization.
-3. Use an API to dynamically trigger a dialog box requesting user authorization when the target object is accessed. The API first checks whether the user has granted the required permissions to the app. If yes, the app can access the data or perform the operation. Otherwise, a dialog box will be displayed to request user authorization.
+3. Use an API to dynamically trigger a dialog box for requesting user authorization when the target object is accessed. This API first checks whether the user has granted the permission required. If no, a dialog box will be displayed to request authorization from the user.
-4. Check the user authorization result. Allow the subsequent operation only after the user has granted the permissions to the app.
+4. Check the user authorization result. Allow the subsequent operations only after the user has granted the permission to the application successfully.
-**Precautions**
+**Caution**
-- Check the app's permission each time before the operation requiring the permission is performed.
-- To check whether a user has granted specific permissions to an app, use the [verifyAccessToken](../reference/apis/js-apis-abilityAccessCtrl.md) API. This API returns [PERMISSION_GRANTED](../reference/apis/js-apis-abilityAccessCtrl.md) or [PERMISSION_DENIED](../reference/apis/js-apis-abilityAccessCtrl.md). For details about the sample code, see [Access Control Development](accesstoken-guidelines.md).
-- Users must be able to understand and control the authorization of user_grant permissions. During the running process, the app requiring user authorization must proactively call an API to dynamically request the authorization. Then, the system displays a dialog box asking the user to grant the permission. The user will determine whether to grant the permission based on the running context of the app.
-- The permission authorized is not permanent, because the user may revoke the authorization at any time. Therefore, even if the user has granted the requested permission to the app, the app must check for the permission before calling the API controlled by this permission.
+- Each time before the operation that requires the target permission is performed, the application must check whether the permission is available.
+- To check whether a user has granted a permission to your application, use [checkAccessToken()](../reference/apis/js-apis-abilityAccessCtrl.md#checkaccesstoken9). This API returns [PERMISSION_GRANTED](../reference/apis/js-apis-abilityAccessCtrl.md) or [PERMISSION_DENIED](../reference/apis/js-apis-abilityAccessCtrl.md). For details about the sample code, see [Permission Application Guide](accesstoken-guidelines.md).
+- Users must be able to understand and control the authorization of user_grant permissions. For a user_grant permission, the application must proactively call an API to dynamically request user authorization. Then, the system displays a dialog box asking the user to grant the permission. The user then determines whether to grant the permission.
+- The user may revoke the permission authorization at any time. Therefore, each time before an API associated with a user_grant permission is called, the application must check whether the permission is available.
## ACL
-As described above, permission levels and app APLs are in one-to-one correspondence. In principle, **an app with a lower APL cannot apply for higher permissions by default**.
+Permission levels and application APLs are in one-to-one correspondence. In principle, an application with a lower APL cannot apply for higher-level permissions by default.
-The ACL makes low-APL apps have high-level permissions.
+The ACL makes low-APL applications have high-level permissions.
-**Example**
+**Example:**
-The APL of app A is **normal**. App A needs to have permission B (system_basic level) and permission C (normal level).
+The APL of application A is **normal**. Application A needs to have permission B (system_basic level) and permission C (normal level).
-In this case, you can use the ACL to grant permission B to app A.
+In this case, you can use the ACL to grant permission B to application A.
For details, see [Using the ACL](#using-the-acl).
-For details about whether a permission can be enabled through the ACL, see [App Permission List](permission-list.md).
+For details about whether a permission can be enabled via the ACL, see [Application Permission List](permission-list.md).
### Using the ACL
-If the permission required by an app has a higher level than the app's APL, you can use the ACL to grant the permission required.
+If the permission required by an application has a higher level than the application's APL, you can use the ACL to grant the permission required.
In addition to the preceding [authorization processes](#authorization-processes), you must declare the ACL.
-That is, you need to declare the required permissions in the app's configuration file, and [declare the ACL](accesstoken-guidelines.md#declaring-permissions-in-the-acl) in the app's profile. The subsequent steps of authorization are the same.
+That is, you need to declare the required permissions in the application's configuration file, and [declare the ACL](accesstoken-guidelines.md#declaring-the-acl) in the application's profile. The subsequent authorization steps are the same.
**NOTICE**
-When developing an app installation package, you must declare the ACL in the **acls** field in the app's profile. Then, use the [hapsigner](hapsigntool-overview.md) tool to generate a certificate.
+When developing an application installation package, you must declare the ACL in the **acls** field in the application's profile. Then, use the [hapsigner](hapsigntool-overview.md) tool to generate a certificate.
-> **CAUTION**
The method of changing the app's APL in its profile applies only to the app or service in debug mode. For a commercial app, apply for a release certificate and profile in the corresponding app market.
+> **CAUTION**
The method of changing the application's APL in its profile applies only to the application or service in debug mode. For a commercial application, apply for a release certificate and profile in the corresponding application market.
```json
{
diff --git a/en/application-dev/security/permission-list.md b/en/application-dev/security/permission-list.md
index f3e380bbfd572a2bd159801f8fecee60af5e681b..c20a672c4a122bc3856a69a39701ffc2114348ed 100644
--- a/en/application-dev/security/permission-list.md
+++ b/en/application-dev/security/permission-list.md
@@ -12,7 +12,7 @@ Allows an application to access Bluetooth configurations.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.DISCOVER_BLUETOOTH
@@ -22,7 +22,7 @@ Allows an application to configure Bluetooth on a device, initiate or cancel a s
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.MANAGE_BLUETOOTH
@@ -32,7 +32,7 @@ Allows an application to pair with a Bluetooth device and access the contacts or
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.INTERNET
@@ -42,7 +42,7 @@ Allows an application to access the Internet.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.MODIFY_AUDIO_SETTINGS
@@ -52,7 +52,7 @@ Allows an application to modify audio settings.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.ACCESS_NOTIFICATION_POLICY
@@ -66,23 +66,23 @@ Allows an application to access the notification policy on the device.
## ohos.permission.GET_TELEPHONY_STATE
-Allows an application to read telephony information.
+Allows an application to read telephony information.
**Permission level**: system_basic
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.REQUIRE_FORM
-Allows an application to obtain widgets.
+Allows an application to obtain the Ability Form.
**Permission level**: system_basic
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.GET_NETWORK_INFO
@@ -92,7 +92,7 @@ Allows an application to obtain network information.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.PLACE_CALL
@@ -102,7 +102,7 @@ Allows an application to make calls without starting the dialer.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.SET_NETWORK_INFO
@@ -112,7 +112,7 @@ Allows an application to set data network information.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.REMOVE_CACHE_FILES
@@ -122,7 +122,7 @@ Allows the cache of the specified application to be cleared.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.REBOOT
@@ -132,7 +132,7 @@ Allows an application to restart the device.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.RUNNING_LOCK
@@ -142,7 +142,7 @@ Allows an application to obtain a running lock.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.SET_TIME
@@ -152,7 +152,7 @@ Allows an application to set the system time.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.SET_TIME_ZONE
@@ -162,17 +162,17 @@ Allows an application to set the system time zone.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.DOWNLOAD_SESSION_MANAGER
-Allows an application to manage download sessions.
+Allows an application to manage the download sessions.
**Permission level**: system_core
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.COMMONEVENT_STICKY
@@ -182,7 +182,7 @@ Allows an application to publish sticky common events.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.SYSTEM_FLOAT_WINDOW
@@ -192,7 +192,7 @@ Allows an application to be displayed in a floating window on top of other appli
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.PRIVACY_WINDOW
@@ -202,7 +202,7 @@ Allows an application to set screens that cannot be captured or recorded.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.POWER_MANAGER
@@ -212,7 +212,7 @@ Allows an application to hibernate or wake up the device by calling an API.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.REFRESH_USER_ACTION
@@ -222,7 +222,7 @@ Allows an application to reset the screen timeout counter when a user input even
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.POWER_OPTIMIZATION
@@ -232,7 +232,7 @@ Allows an application to set power saving mode, obtain configuration of the powe
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.REBOOT_RECOVERY
@@ -242,7 +242,7 @@ Allows an application to restart the device and enter Recovery mode.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.MANAGE_LOCAL_ACCOUNTS
@@ -252,7 +252,7 @@ Allows an application to manage local user accounts.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS
@@ -262,7 +262,7 @@ Allows access between multiple OS accounts.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.VIBRATE
@@ -272,7 +272,7 @@ Allows an application to control vibration.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.CONNECT_IME_ABILITY
@@ -282,7 +282,7 @@ Allows an application to bind the InputMethodAbility.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.CONNECT_SCREEN_SAVER_ABILITY
@@ -292,7 +292,7 @@ Allows an application to bind the ScreenSaverAbility.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.READ_SCREEN_SAVER
@@ -302,7 +302,7 @@ Allows an application to read the screen saver information, such as the list of
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.WRITE_SCREEN_SAVER
@@ -312,7 +312,7 @@ Allows an application to modify the screen saver information, such as activating
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.SET_WALLPAPER
@@ -322,7 +322,7 @@ Allows an application to set a static wallpaper.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.GET_WALLPAPER
@@ -332,7 +332,7 @@ Allows an application to read wallpaper files.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.CHANGE_ABILITY_ENABLED_STATE
@@ -342,7 +342,7 @@ Allows an application to enable or disable an application or component.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.ACCESS_MISSIONS
@@ -352,7 +352,7 @@ Allows an application to obtain information about running processes and mission
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.CLEAN_BACKGROUND_PROCESSES
@@ -362,7 +362,7 @@ Allows an application to clear background processes based on their bundle names.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.KEEP_BACKGROUND_RUNNING
@@ -372,7 +372,7 @@ Allows a Service ability to keep running in the background.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.UPDATE_CONFIGURATION
@@ -382,7 +382,7 @@ Allows an application to modify system settings.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.UPDATE_SYSTEM
@@ -392,7 +392,7 @@ Allows an application to call the update APIs.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.FACTORY_RESET
@@ -402,7 +402,7 @@ Allows an application to call the API for restoring factory settings.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.GRANT_SENSITIVE_PERMISSIONS
@@ -412,7 +412,7 @@ Allows an application to grant sensitive permissions to other applications.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.REVOKE_SENSITIVE_PERMISSIONS
@@ -422,7 +422,7 @@ Allows an application to revoke sensitive permissions granted to other applicati
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.GET_SENSITIVE_PERMISSIONS
@@ -432,7 +432,7 @@ Allows an application to obtain the sensitive permissions that have been granted
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION
@@ -442,7 +442,7 @@ Allows an application to set the attributes of applications of other users.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.LISTEN_BUNDLE_CHANGE
@@ -452,7 +452,7 @@ Allows an application to listen for changes in other applications, when they are
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.GET_BUNDLE_INFO
@@ -462,7 +462,7 @@ Allows an application to obtain information about another application. This perm
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.GET_BUNDLE_INFO_PRIVILEGED
@@ -472,7 +472,7 @@ Allows an application to obtain information about other applications at the same
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.ACCELEROMETER
@@ -482,7 +482,7 @@ Allows an application to read data from an acceleration sensor, uncalibrated acc
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.GYROSCOPE
@@ -492,7 +492,7 @@ Allows an application to read data from a gyroscope sensor or uncalibrated gyros
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.INSTALL_BUNDLE
@@ -502,7 +502,7 @@ Allows an application to install and uninstall other applications.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.MANAGE_SHORTCUTS
@@ -512,7 +512,7 @@ Allows an application to query and start shortcuts of other applications.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.radio.ACCESS_FM_AM
@@ -522,7 +522,7 @@ Allows an application to access radio services.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.SET_TELEPHONY_STATE
@@ -532,7 +532,7 @@ Allows an application to change the telephone state.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.START_ABILITIES_FROM_BACKGROUND
@@ -542,7 +542,7 @@ Allows an application to start or access other components from the background.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.BUNDLE_ACTIVE_INFO
@@ -552,7 +552,7 @@ Allows an application to obtain how long other applications have been running in
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.START_INVISIBLE_ABILITY
@@ -562,7 +562,7 @@ Allows an application to start an invisible ability.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.sec.ACCESS_UDID
@@ -572,7 +572,7 @@ Allows an application to obtain the Unified Device ID (UDID).
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.LAUNCH_DATA_PRIVACY_CENTER
@@ -582,7 +582,7 @@ Allows an application to switch from its privacy statement page to the Data &
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.MANAGE_MEDIA_RESOURCES
@@ -592,7 +592,7 @@ Allows an application to obtain and manage the media resources that are being pl
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.PUBLISH_AGENT_REMINDER
@@ -602,7 +602,7 @@ Allows an application to use agent-powered reminders.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.CONTROL_TASK_SYNC_ANIMATOR
@@ -612,7 +612,7 @@ Allows an application to use sync task animations.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.INPUT_MONITORING
@@ -622,7 +622,7 @@ Allows an application to listen for input events. Only the system signed applica
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.MANAGE_MISSIONS
@@ -632,7 +632,7 @@ Allows an application to manage ability mission stacks.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.NOTIFICATION_CONTROLLER
@@ -642,7 +642,7 @@ Allows an application to manage and subscribe to notifications.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.CONNECTIVITY_INTERNAL
@@ -652,7 +652,7 @@ Allows an application to obtain network information or modify network settings.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.SET_ABILITY_CONTROLLER
@@ -662,7 +662,7 @@ Allows an application to set the start and stop of an ability.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.USE_USER_IDM
@@ -692,7 +692,7 @@ Allows an application to use biometric recognition for identity authentication.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.ACCESS_USER_AUTH_INTERNAL
@@ -722,7 +722,7 @@ Allows an application to obtain running status information.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.CLEAN_APPLICATION_DATA
@@ -732,7 +732,7 @@ Allows an application to clear application data.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.RUNNING_STATE_OBSERVER
@@ -742,7 +742,7 @@ Allows an application to observe the application status.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.CAPTURE_SCREEN
@@ -752,7 +752,7 @@ Allows an application to take screenshots.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.GET_WIFI_INFO
@@ -762,7 +762,7 @@ Allows an application to obtain WLAN information.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.GET_WIFI_INFO_INTERNAL
@@ -772,7 +772,7 @@ Allows an application to obtain WLAN information.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.SET_WIFI_INFO
@@ -782,7 +782,7 @@ Allows an application to set WLAN devices.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.GET_WIFI_PEERS_MAC
@@ -792,7 +792,7 @@ Allows an application to obtain the MAC address of the peer WLAN or Bluetooth de
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.GET_WIFI_LOCAL_MAC
@@ -802,7 +802,7 @@ Allows an application to obtain the MAC address of the local WLAN or Bluetooth d
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.GET_WIFI_CONFIG
@@ -812,7 +812,7 @@ Allows an application to obtain the WLAN configuration.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.SET_WIFI_CONFIG
@@ -822,7 +822,7 @@ Allows an application to set WLAN information.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.MANAGE_WIFI_CONNECTION
@@ -832,7 +832,7 @@ Allows an application to manage WLAN connections.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.MANAGE_WIFI_HOTSPOT
@@ -842,7 +842,7 @@ Allows an application to enable or disable Wi-Fi hotspots.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.GET_ALL_APP_ACCOUNTS
@@ -862,7 +862,7 @@ Allows an application to modify security settings.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.READ_DFX_SYSEVENT
@@ -882,7 +882,7 @@ Allows an application to activate the device administrator app.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.SET_ENTERPRISE_INFO
@@ -892,7 +892,7 @@ Allows the device administrator application to set enterprise information.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.ENTERPRISE_SUBSCRIBE_MANAGED_EVENT
@@ -902,7 +902,7 @@ Allows the device administrator application to subscribe to management events.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.ENTERPRISE_SET_DATETIME
@@ -912,7 +912,7 @@ Allows the device administrator application to set the system time.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.ENTERPRISE_GET_DEVICE_INFO
@@ -922,7 +922,7 @@ Allows the device administrator application to obtain device information.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.NFC_TAG
@@ -952,7 +952,7 @@ Allows a system application to access the permission usage records.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.NOTIFICATION_AGENT_CONTROLLER
@@ -962,7 +962,7 @@ Allows an application to send agent-powered notifications.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.ANSWER_CALL
@@ -972,7 +972,7 @@ Allows an application to answer incoming calls.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.READ_CALENDAR
@@ -982,7 +982,7 @@ Allows an application to read calendar data.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.READ_CALL_LOG
@@ -992,7 +992,7 @@ Allows an application to read call logs.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.READ_CELL_MESSAGES
@@ -1002,7 +1002,7 @@ Allows an application to read cell broadcast messages received by the device.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.READ_CONTACTS
@@ -1012,7 +1012,7 @@ Allows an application to read contacts.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.READ_MESSAGES
@@ -1022,7 +1022,7 @@ Allows an application to read messages.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.RECEIVE_MMS
@@ -1032,7 +1032,7 @@ Allows an application to receive and process MMS messages.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.RECEIVE_SMS
@@ -1042,7 +1042,7 @@ Allows an application to receive and process SMS messages.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.RECEIVE_WAP_MESSAGES
@@ -1052,7 +1052,7 @@ Allows an application to receive and process WAP messages.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.MICROPHONE
@@ -1062,7 +1062,7 @@ Allows an application to access the microphone.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.SEND_MESSAGES
@@ -1072,7 +1072,7 @@ Allows an application to send messages.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.WRITE_CALENDAR
@@ -1082,7 +1082,7 @@ Allows an application to add, remove, and modify calendar events.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.WRITE_CALL_LOG
@@ -1092,7 +1092,7 @@ Allows an application to add, remove, and modify call logs.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.WRITE_CONTACTS
@@ -1102,7 +1102,7 @@ Allows an application to add, remove, and modify contacts.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.DISTRIBUTED_DATASYNC
@@ -1112,7 +1112,7 @@ Allows an application to exchange data with other devices.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.MANAGE_VOICEMAIL
@@ -1122,7 +1122,7 @@ Allows an application to leave messages in the voice mailbox.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.LOCATION_IN_BACKGROUND
@@ -1142,7 +1142,9 @@ Allows an application to obtain the device location.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
+
+**Application conditions**: The applications developed using the SDK earlier than API version 9 can directly apply for this permission. For the applications developed using the SDK of API version 9 or later, you need to apply for [ohos.permission.APPROXIMATELY_LOCATION](#ohospermissionapproximately_location) before applying for this permission.
## ohos.permission.APPROXIMATELY_LOCATION
@@ -1154,15 +1156,17 @@ Allows an application to obtain the approximate location information of a device
**Enable ACL**: FALSE
+**Application conditions**: Only applications developed using the SDK of API version 9 or later can apply for this permission.
+
## ohos.permission.MEDIA_LOCATION
-Allow an application to access geographical locations in the user's media file.
+Allows an application to access geographical locations in the user's media file.
**Permission level**: normal
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.CAMERA
@@ -1172,7 +1176,7 @@ Allows an application to use the camera to take photos and record videos.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.READ_MEDIA
@@ -1182,7 +1186,7 @@ Allows an application to read media files from the user's external storage.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.WRITE_MEDIA
@@ -1192,7 +1196,7 @@ Allows an application to read media files from and write media files into the us
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.ACTIVITY_MOTION
@@ -1202,7 +1206,7 @@ Allows an application to read the current workout status of the user.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.READ_HEALTH_DATA
@@ -1212,7 +1216,7 @@ Allows an application to read the health data of the user.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.GET_DEFAULT_APPLICATION
@@ -1222,7 +1226,7 @@ Allows an application to query default applications.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.SET_DEFAULT_APPLICATION
@@ -1232,7 +1236,7 @@ Allows an application to set and reset default applications.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.MANAGE_DISPOSED_APP_STATUS
@@ -1242,7 +1246,7 @@ Allows an application to set and query the application handling state.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.ACCESS_IDS
@@ -1252,7 +1256,7 @@ Allows an application to query the unique identifier of a device.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.DUMP
@@ -1262,7 +1266,7 @@ Allows the basic system information and SA service information to be exported.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.DISTRIBUTED_SOFTBUS_CENTER
@@ -1282,7 +1286,7 @@ Allows configuration and management of the permissions on .dlp files.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.PROVISIONING_MESSAGE
@@ -1292,7 +1296,7 @@ Allows the Super Device Manager application to be activated.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.ACCESS_SYSTEM_SETTINGS
@@ -1302,7 +1306,7 @@ Allows an application to access or start system **Settings**.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.READ_IMAGEVIDEO
@@ -1312,7 +1316,7 @@ Allows access to the images or video files in a user's directory.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.READ_AUDIO
@@ -1322,7 +1326,7 @@ Allows access to the audio files in a user's directory.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.READ_DOCUMENT
@@ -1332,7 +1336,7 @@ Allows access to the files in a user's directory.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.WRITE_IMAGEVIDEO
@@ -1342,7 +1346,7 @@ Allows modification to the images or video files in a user's directory.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.WRITE_AUDIO
@@ -1352,7 +1356,7 @@ Audio modification to the audio files in a user's directory.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.WRITE_DOCUMENT
@@ -1362,7 +1366,7 @@ Allows modification to the files in a user's directory.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.ABILITY_BACKGROUND_COMMUNICATION
@@ -1372,7 +1376,7 @@ Allows an application to start the Ability component in the background and estab
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.securityguard.REPORT_SECURITY_INFO
@@ -1392,7 +1396,7 @@ Allows an application to obtain the device risk status.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.securityguard.REQUEST_SECURITY_EVENT_INFO
@@ -1452,7 +1456,7 @@ Allows an application to to access the Ability of the push service.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.RECEIVER_STARTUP_COMPLETED
@@ -1482,7 +1486,7 @@ Allows an application to read all calendar information.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.WRITE_WHOLE_CALENDAR
@@ -1492,7 +1496,7 @@ Allows an application to add, remove, or change all calendar events.
**Authorization mode**: user_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.ENFORCE_USER_IAM
@@ -1502,7 +1506,7 @@ Allows an SA to delete user information from the IAM subsystem without a token.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.ACCESS_AUTH_RESPOOL
@@ -1512,7 +1516,7 @@ Allows an SA to register the executor.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.MOUNT_UNMOUNT_MANAGER
@@ -1542,7 +1546,7 @@ Allows an application to call the interfaces of the Storage Manager service to q
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.BACKUP
@@ -1552,7 +1556,7 @@ Allows an application to have backup and restore capabilities.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.FILE_ACCESS_MANAGER
@@ -1562,7 +1566,7 @@ Allows a file management application to access user data files through the FAF.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE
## ohos.permission.MANAGE_AUDIO_CONFIG
@@ -1572,4 +1576,4 @@ Allows an application to to mute microphones globally.
**Authorization mode**: system_grant
-**Enable ACL**: TRUE
+**Enable via ACL**: TRUE