1# @ohos.abilityAccessCtrl (Application Access Control) 2 3The **AbilityAccessCtrl** module provides APIs for application permission management, including authentication, authorization, and revocation. 4 5> **NOTE** 6> 7> The initial APIs of this module are supported since API version 8. Newly added APIs will be marked with a superscript to indicate their earliest API version. 8 9## Modules to Import 10 11```js 12import abilityAccessCtrl from '@ohos.abilityAccessCtrl' 13``` 14 15## abilityAccessCtrl.createAtManager 16 17createAtManager(): AtManager 18 19Creates an **AtManager** instance, which is used for application access control. 20 21**System capability**: SystemCapability.Security.AccessToken 22 23 24**Return value** 25 26| Type| Description| 27| -------- | -------- | 28| [AtManager](#atmanager) | **AtManager** instance created.| 29 30**Example** 31 32```js 33let atManager = abilityAccessCtrl.createAtManager(); 34``` 35 36## AtManager 37 38Provides APIs for application access control. 39 40### checkAccessToken<sup>9+</sup> 41 42checkAccessToken(tokenID: number, permissionName: Permissions): Promise<GrantStatus> 43 44Checks whether a permission is granted to an application. This API uses a promise to return the result. 45 46**System capability**: SystemCapability.Security.AccessToken 47 48**Parameters** 49 50| Name | Type | Mandatory| Description | 51| -------- | ------------------- | ---- | ------------------------------------------ | 52| tokenID | number | Yes | Token ID of the application. The value can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 53| permissionName | Permissions | Yes | Permission to check. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 54 55**Return value** 56 57| Type | Description | 58| :------------ | :---------------------------------- | 59| Promise<GrantStatus> | Promise used to return the permission grant state.| 60 61**Error codes** 62 63For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 64 65| ID| Error Message| 66| -------- | -------- | 67| 12100001 | The parameter is invalid. The tokenID is 0, or the permissionName is greater than 256 bytes. | 68 69**Example** 70 71```js 72import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 73 74let atManager = abilityAccessCtrl.createAtManager(); 75let tokenID = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 76try { 77 atManager.checkAccessToken(tokenID, "ohos.permission.GRANT_SENSITIVE_PERMISSIONS").then((data) => { 78 console.log(`checkAccessToken success, data->${JSON.stringify(data)}`); 79 }).catch((err) => { 80 console.log(`checkAccessToken fail, err->${JSON.stringify(err)}`); 81 }); 82} catch(err) { 83 console.log(`catch err->${JSON.stringify(err)}`); 84} 85``` 86 87### verifyAccessTokenSync<sup>9+</sup> 88 89verifyAccessTokenSync(tokenID: number, permissionName: Permissions): GrantStatus 90 91Verifies whether a permission is granted to an application. This API returns the result synchronously. 92 93**System capability**: SystemCapability.Security.AccessToken 94 95**Parameters** 96 97| Name | Type | Mandatory| Description | 98| -------- | ------------------- | ---- | ------------------------------------------ | 99| tokenID | number | Yes | Token ID of the application. The value can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 100| permissionName | Permissions | Yes | Permission to verify. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 101 102**Return value** 103 104| Type | Description | 105| :------------ | :---------------------------------- | 106| [GrantStatus](#grantstatus) | Permission grant state.| 107 108**Error codes** 109 110For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 111 112| ID| Error Message| 113| -------- | -------- | 114| 12100001 | The parameter is invalid. The tokenID is 0, or the permissionName is greater than 256 bytes. | 115 116**Example** 117 118```js 119let atManager = abilityAccessCtrl.createAtManager(); 120let tokenID = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 121let data = atManager.verifyAccessTokenSync(tokenID, "ohos.permission.GRANT_SENSITIVE_PERMISSIONS"); 122console.log(`data->${JSON.stringify(data)}`); 123``` 124 125### grantUserGrantedPermission 126 127grantUserGrantedPermission(tokenID: number, permissionName: Permissions, permissionFlags: number): Promise<void> 128 129Grants a user_grant permission to an application. This API uses a promise to return the result. 130 131**System API**: This is a system API. 132 133**Required permissions**: ohos.permission.GRANT_SENSITIVE_PERMISSIONS (available only to system applications) 134 135**System capability**: SystemCapability.Security.AccessToken 136 137**Parameters** 138 139| Name | Type | Mandatory| Description | 140| --------- | ------------------- | ---- | ------------------------------------------------------------ | 141| tokenID | number | Yes | Token ID of the application. The value can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 142| permissionName | Permissions | Yes | Permission to grant. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 143| permissionFlags | number | Yes | Permission flag.<br>- **0**: The permission is not set by the user.<br>- **1**: A dialog box for user authorization will be displayed the next time if the user denies authorization for the permission.<br>- **2**: No dialog box will be displayed the next time if the user denies authorization for the permission. The permission must be granted by the user in **Settings**.<br>- **4**: The permission is authorized by the system and cannot be changed.| 144 145**Return value** 146 147| Type | Description | 148| :------------ | :---------------------------------- | 149| Promise<void> | Promise that returns no value.| 150 151**Error codes** 152 153For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 154 155| ID| Error Message| 156| -------- | -------- | 157| 12100001 | The parameter is invalid. The tokenID is 0, the permissionName is greater than 256 bytes, or the flags value is invalid. | 158| 12100002 | The specified tokenID does not exist. | 159| 12100003 | The specified permission does not exist. | 160| 12100006 | The application specified by the tokenID is not allowed to be granted with the specified permission. Either the application is a sandbox or the tokenID is from a remote device. | 161| 12100007 | Service is abnormal. | 162 163**Example** 164 165```js 166import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 167 168let atManager = abilityAccessCtrl.createAtManager(); 169let tokenID = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 170let permissionFlags = 1; 171try { 172 atManager.grantUserGrantedPermission(tokenID, "ohos.permission.GRANT_SENSITIVE_PERMISSIONS", permissionFlags).then(() => { 173 console.log('grantUserGrantedPermission success'); 174 }).catch((err) => { 175 console.log(`grantUserGrantedPermission fail, err->${JSON.stringify(err)}`); 176 }); 177} catch(err) { 178 console.log(`catch err->${JSON.stringify(err)}`); 179} 180``` 181 182### grantUserGrantedPermission 183 184grantUserGrantedPermission(tokenID: number, permissionName: Permissions, permissionFlags: number, callback: AsyncCallback<void>): void 185 186Grants a user_grant permission to an application. This API uses an asynchronous callback to return the result. 187 188**System API**: This is a system API. 189 190**Required permissions**: ohos.permission.GRANT_SENSITIVE_PERMISSIONS (available only to system applications) 191 192**System capability**: SystemCapability.Security.AccessToken 193 194**Parameters** 195 196| Name | Type | Mandatory| Description | 197| --------- | ------------------- | ---- | ------------------------------------------------------------ | 198| tokenID | number | Yes | Token ID of the application. The value can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md).| 199| permissionName | Permissions | Yes | Permission to grant. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 200| permissionFlags | number | Yes | Permission flag.<br>- **0**: The permission is not set by the user.<br>- **1**: A dialog box for user authorization will be displayed the next time if the user denies authorization for the permission.<br>- **2**: No dialog box will be displayed the next time if the user denies authorization for the permission. The permission must be granted by the user in **Settings**.<br>- **4**: The permission is authorized by the system and cannot be changed.| 201| callback | AsyncCallback<void> | Yes| Callback invoked to return the result. If the permission is granted, **err** is **undefined**. Otherwise, **err** is an error object.| 202 203**Error codes** 204 205For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 206 207| ID| Error Message| 208| -------- | -------- | 209| 12100001 | The parameter is invalid. The tokenID is 0, the permissionName is greater than 256 bytes, or the flags value is invalid. | 210| 12100002 | TokenId does not exist. | 211| 12100003 | Permission does not exist. | 212| 12100006 | The application specified by the tokenID is not allowed to be granted with the specified permission. Either the application is a sandbox or the tokenID is from a remote device. | 213| 12100007 | Service is abnormal. | 214 215**Example** 216 217```js 218import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 219 220let atManager = abilityAccessCtrl.createAtManager(); 221let tokenID = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 222let permissionFlags = 1; 223try { 224 atManager.grantUserGrantedPermission(tokenID, "ohos.permission.GRANT_SENSITIVE_PERMISSIONS", permissionFlags, (err, data) => { 225 if (err) { 226 console.log(`grantUserGrantedPermission fail, err->${JSON.stringify(err)}`); 227 } else { 228 console.log('grantUserGrantedPermission success'); 229 } 230 }); 231} catch(err) { 232 console.log(`catch err->${JSON.stringify(err)}`); 233} 234``` 235 236### revokeUserGrantedPermission 237 238revokeUserGrantedPermission(tokenID: number, permissionName: Permissions, permissionFlags: number): Promise<void> 239 240Revokes a user_grant permission from an application. This API uses a promise to return the result. 241 242**System API**: This is a system API. 243 244**Required permissions**: ohos.permission.REVOKE_SENSITIVE_PERMISSIONS (available only to system applications) 245 246**System capability**: SystemCapability.Security.AccessToken 247 248**Parameters** 249 250| Name | Type | Mandatory| Description | 251| --------- | ------------------- | ---- | ------------------------------------------------------------ | 252| tokenID | number | Yes | Token ID of the application. The value can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 253| permissionName | Permissions | Yes | Permission to revoke. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 254| permissionFlags | number | Yes | Permission flag.<br>- **0**: The permission is not set by the user.<br>- **1**: A dialog box for user authorization will be displayed the next time if the user denies authorization for the permission.<br>- **2**: No dialog box will be displayed the next time if the user denies authorization for the permission. The permission must be granted by the user in **Settings**.<br>- **4**: The permission is authorized by the system and cannot be changed.| 255 256**Return value** 257 258| Type | Description | 259| :------------ | :---------------------------------- | 260| Promise<void> | Promise that returns no value.| 261 262**Error codes** 263 264For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 265 266| ID| Error Message| 267| -------- | -------- | 268| 12100001 | The parameter is invalid. The tokenID is 0, the permissionName is greater than 256 bytes, or the flags value is invalid. | 269| 12100002 | The specified tokenID does not exist. | 270| 12100003 | The specified permission does not exist. | 271| 12100006 | The application specified by the tokenID is not allowed to be revoked with the specified permission. Either the application is a sandbox or the tokenID is from a remote device. | 272| 12100007 | Service is abnormal. | 273 274**Example** 275 276```js 277import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 278 279let atManager = abilityAccessCtrl.createAtManager(); 280let tokenID = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 281let permissionFlags = 1; 282try { 283 atManager.revokeUserGrantedPermission(tokenID, "ohos.permission.GRANT_SENSITIVE_PERMISSIONS", permissionFlags).then(() => { 284 console.log('revokeUserGrantedPermission success'); 285 }).catch((err) => { 286 console.log(`revokeUserGrantedPermission fail, err->${JSON.stringify(err)}`); 287 }); 288} catch(err) { 289 console.log(`catch err->${JSON.stringify(err)}`); 290} 291``` 292 293### revokeUserGrantedPermission 294 295revokeUserGrantedPermission(tokenID: number, permissionName: Permissions, permissionFlags: number, callback: AsyncCallback<void>): void 296 297Revokes a user_grant permission from an application. This API uses an asynchronous callback to return the result. 298 299**System API**: This is a system API. 300 301**Required permissions**: ohos.permission.REVOKE_SENSITIVE_PERMISSIONS (available only to system applications) 302 303**System capability**: SystemCapability.Security.AccessToken 304 305**Parameters** 306 307| Name | Type | Mandatory| Description | 308| --------- | ------------------- | ---- | ------------------------------------------------------------ | 309| tokenID | number | Yes | Token ID of the application. The value can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 310| permissionName | Permissions | Yes | Permission to revoke. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 311| permissionFlags | number | Yes | Permission flag.<br>- **0**: The permission is not set by the user.<br>- **1**: A dialog box for user authorization will be displayed the next time if the user denies authorization for the permission.<br>- **2**: No dialog box will be displayed the next time if the user denies authorization for the permission. The permission must be granted by the user in **Settings**.<br>- **4**: The permission is authorized by the system and cannot be changed.| 312| callback | AsyncCallback<void> | Yes| Callback invoked to return the result. If the permission is revoked, **err** is **undefined**. Otherwise, **err** is an error object.| 313 314**Error codes** 315 316For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 317 318| ID| Error Message| 319| -------- | -------- | 320| 12100001 | The parameter is invalid. The tokenID is 0, the permissionName is greater than 256 bytes, or the flags value is invalid. | 321| 12100002 | TokenId does not exist. | 322| 12100003 | Permission does not exist. | 323| 12100006 | The application specified by the tokenID is not allowed to be revoked with the specified permission. Either the application is a sandbox or the tokenID is from a remote device. | 324| 12100007 | Service is abnormal. | 325 326**Example** 327 328```js 329import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 330 331let atManager = abilityAccessCtrl.createAtManager(); 332let tokenID = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 333let permissionFlags = 1; 334try { 335 atManager.revokeUserGrantedPermission(tokenID, "ohos.permission.GRANT_SENSITIVE_PERMISSIONS", permissionFlags, (err, data) => { 336 if (err) { 337 console.log(`revokeUserGrantedPermission fail, err->${JSON.stringify(err)}`); 338 } else { 339 console.log('revokeUserGrantedPermission success'); 340 } 341 }); 342} catch(err) { 343 console.log(`catch err->${JSON.stringify(err)}`); 344} 345``` 346 347### getPermissionFlags 348 349getPermissionFlags(tokenID: number, permissionName: Permissions): Promise<number> 350 351Obtains the permission flag of an application. This API uses a promise to return the result. 352 353**System API**: This is a system API. 354 355**Required permissions**: ohos.permission.GET_SENSITIVE_PERMISSIONS, ohos.permission.GRANT_SENSITIVE_PERMISSIONS, or ohos.permission.REVOKE_SENSITIVE_PERMISSIONS (available only to system applications) 356 357**System capability**: SystemCapability.Security.AccessToken 358 359**Parameters** 360 361| Name | Type | Mandatory| Description | 362| --------- | ------------------- | ---- | ------------------------------------------------------------ | 363| tokenID | number | Yes | Token ID of the application. The value can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 364| permissionName | Permissions | Yes | Target permission. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 365 366**Return value** 367 368| Type | Description | 369| :------------ | :---------------------------------- | 370| Promise<number> | Promise used to return the permission flag obtained. | 371 372**Error codes** 373 374For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 375 376| ID| Error Message| 377| -------- | -------- | 378| 12100001 | The parameter is invalid. The tokenID is 0, or the permissionName is greater than 256 bytes. | 379| 12100002 | The specified tokenID does not exist. | 380| 12100003 | The specified permission does not exist. | 381| 12100006 | The operation is not allowed. Either the application is a sandbox or the tokenID is from a remote device. | 382| 12100007 | Service is abnormal. | 383 384**Example** 385 386```js 387import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 388 389let atManager = abilityAccessCtrl.createAtManager(); 390let tokenID = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 391try { 392 atManager.getPermissionFlags(tokenID, "ohos.permission.GRANT_SENSITIVE_PERMISSIONS").then((data) => { 393 console.log(`getPermissionFlags success, data->${JSON.stringify(data)}`); 394 }).catch((err) => { 395 console.log(`getPermissionFlags fail, err->${JSON.stringify(err)}`); 396 }); 397} catch(err) { 398 console.log(`catch err->${JSON.stringify(err)}`); 399} 400``` 401 402### getVersion<sup>9+</sup> 403 404getVersion(): Promise<number> 405 406Obtains the data version of the permission management. This API uses a promise to return the result. 407 408**System API**: This is a system API. 409 410**System capability**: SystemCapability.Security.AccessToken 411 412**Return value** 413 414| Type | Description | 415| :------------ | :---------------------------------- | 416| Promise<number> | Promise used to return the version.| 417 418**Example** 419 420```js 421let atManager = abilityAccessCtrl.createAtManager(); 422let promise = atManager.getVersion(); 423promise.then(data => { 424 console.log(`promise: data->${JSON.stringify(data)}`); 425}); 426``` 427 428### on<sup>9+</sup> 429 430on(type: 'permissionStateChange', tokenIDList: Array<number>, permissionList: Array<Permissions>, callback: Callback<PermissionStateChangeInfo>): void; 431 432Subscribes to permission state changes of the specified applications and permissions. 433 434**System API**: This is a system API. 435 436**Required permissions**: ohos.permission.GET_SENSITIVE_PERMISSIONS (available only to system applications) 437 438**System capability**: SystemCapability.Security.AccessToken 439 440**Parameters** 441 442| Name | Type | Mandatory| Description | 443| ------------------ | --------------------- | ---- | ------------------------------------------------------------ | 444| type | string | Yes | Event type to subscribe to. The value is **'permissionStateChange'**, which indicates the permission grant state change. | 445| tokenIDList | Array<number> | Yes | Token IDs of the applications to observe. If this parameter is left empty, the permission grant state changes of all applications are observed. | 446| permissionList | Array<Permissions> | Yes | Permissions to observe. If this parameter is left empty, the grant state changes of all permissions are observed. | 447| callback | Callback<[PermissionStateChangeInfo](#permissionstatechangeinfo9)> | Yes| Callback invoked to return the permission grant state change.| 448 449**Error codes** 450 451For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 452 453| ID| Error Message| 454| -------- | -------- | 455| 12100001 | The parameter is invalid. The tokenID is 0, or the permissionName is greater than 256 bytes. | 456| 12100004 | The interface is called repeatedly with the same input. | 457| 12100005 | The registration time has exceeded the limitation. | 458| 12100007 | Service is abnormal. | 459| 12100008 | Out of memory. | 460 461**Example** 462 463```js 464import abilityAccessCtrl, {Permissions} from '@ohos.abilityAccessCtrl'; 465import bundle from '@ohos.bundle.bundleManager'; 466 467let atManager = abilityAccessCtrl.createAtManager(); 468let appInfo = bundle.getApplicationInfoSync('com.example.myapplication', 0, 100); 469let tokenIDList: Array<number> = [appInfo.accessTokenId]; 470let permissionList: Array<Permissions> = ["ohos.permission.DISTRIBUTED_DATASYNC"]; 471try { 472 atManager.on('permissionStateChange', tokenIDList, permissionList, (data) => { 473 console.debug("receive permission state change, data:" + JSON.stringify(data)); 474 }); 475} catch(err) { 476 console.log(`catch err->${JSON.stringify(err)}`); 477} 478``` 479 480### off<sup>9+</sup> 481 482off(type: 'permissionStateChange', tokenIDList: Array<number>, permissionList: Array<Permissions>, callback?: Callback<PermissionStateChangeInfo>): void; 483 484Unsubscribes from permission grant state changes of the specified applications and permissions. This API uses a callback to return the result. 485 486**System API**: This is a system API. 487 488**Required permissions**: ohos.permission.GET_SENSITIVE_PERMISSIONS (available only to system applications) 489 490**System capability**: SystemCapability.Security.AccessToken 491 492**Parameters** 493 494| Name | Type | Mandatory| Description | 495| ------------------ | --------------------- | ---- | ------------------------------------------------------------ | 496| type | string | Yes | Event type to unsubscribe from. The value is **'permissionStateChange'**, which indicates the permission grant state change. | 497| tokenIDList | Array<number> | Yes | Token IDs of the applications. If this parameter is left empty, the permission grant state changes of all applications are unsubscribed from. The value must be the same as that passed in **on()**. | 498| permissionList | Array<Permissions> | Yes | Permission names. If this parameter is left empty, the grant state changes of all permissions are unsubscribed from. The value must be the same as that passed in **on()**. | 499| callback | Callback<[PermissionStateChangeInfo](#permissionstatechangeinfo9)> | No| Callback for the permission grant state change. | 500 501**Error codes** 502 503For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 504 505| ID| Error Message| 506| -------- | -------- | 507| 12100001 | The parameter is invalid. The tokenIDs or permissionNames in the list are all invalid. | 508| 12100004 | The interface is not used together with "on". | 509| 12100007 | Service is abnormal. | 510| 12100008 | Out of memory. | 511 512**Example** 513 514```js 515import abilityAccessCtrl, {Permissions} from '@ohos.abilityAccessCtrl'; 516import bundle from '@ohos.bundle.bundleManager'; 517 518let atManager = abilityAccessCtrl.createAtManager(); 519let appInfo = bundle.getApplicationInfoSync('com.example.myapplication', 0, 100); 520let tokenIDList: Array<number> = [appInfo.accessTokenId]; 521let permissionList: Array<Permissions> = ["ohos.permission.DISTRIBUTED_DATASYNC"]; 522try { 523 atManager.off('permissionStateChange', tokenIDList, permissionList); 524} catch(err) { 525 console.log(`catch err->${JSON.stringify(err)}`); 526} 527``` 528 529### verifyAccessToken<sup>9+</sup> 530 531verifyAccessToken(tokenID: number, permissionName: Permissions): Promise<GrantStatus> 532 533Verifies whether a permission is granted to an application. This API uses a promise to return the result. 534 535> **NOTE** 536> 537> You are advised to use [checkAccessToken](#checkaccesstoken9). 538 539**System capability**: SystemCapability.Security.AccessToken 540 541**Parameters** 542 543| Name | Type | Mandatory| Description | 544| -------- | ------------------- | ---- | ------------------------------------------ | 545| tokenID | number | Yes | Token ID of the application. The value can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 546| permissionName | Permissions | Yes | Permission to verify. For details about the permissions, see the [Application Permission List](../../security/permission-list.md). | 547 548**Return value** 549 550| Type | Description | 551| :------------ | :---------------------------------- | 552| Promise<GrantStatus> | Promise used to return the permission grant state.| 553 554**Example** 555 556```js 557import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 558 559let atManager = abilityAccessCtrl.createAtManager(); 560let tokenID = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 561let promise = atManager.verifyAccessToken(tokenID, "ohos.permission.GRANT_SENSITIVE_PERMISSIONS"); 562promise.then(data => { 563 console.log(`promise: data->${JSON.stringify(data)}`); 564}); 565``` 566 567### requestPermissionsFromUser<sup>9+</sup> 568 569requestPermissionsFromUser(context: Context, permissionList: Array<Permissions>, requestCallback: AsyncCallback<PermissionRequestResult>) : void; 570 571Requests permissions from the user in a dialog box. This API uses an asynchronous callback to return the result. 572 573**Model restriction**: This API can be used only in the stage model. 574 575**System capability**: SystemCapability.Security.AccessToken 576 577**Parameters** 578 579| Name| Type| Mandatory| Description| 580| -------- | -------- | -------- | -------- | 581| context | Context | Yes| Ability context of the application that requests the permissions. | 582| permissionList | Array<Permissions> | Yes| Permissions requested. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 583| callback | AsyncCallback<[PermissionRequestResult](js-apis-permissionrequestresult.md)> | Yes| Callback invoked to return the result.| 584 585**Error codes** 586 587For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 588 589| ID| Error Message| 590| -------- | -------- | 591| 12100001 | The parameter is invalid. The context is invalid when it does not belong to the application itself. | 592 593**Example** 594 595 ```js 596import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 597let atManager = abilityAccessCtrl.createAtManager(); 598try { 599 atManager.requestPermissionsFromUser(this.context, ["ohos.permission.CAMERA"], (err, data)=>{ 600 console.info("data:" + JSON.stringify(data)); 601 console.info("data permissions:" + data.permissions); 602 console.info("data authResults:" + data.authResults); 603 }); 604} catch(err) { 605 console.log(`catch err->${JSON.stringify(err)}`); 606} 607 ``` 608 609### requestPermissionsFromUser<sup>9+</sup> 610 611requestPermissionsFromUser(context: Context, permissionList: Array<Permissions>) : Promise<PermissionRequestResult>; 612 613Requests permissions from the user in a dialog box. This API uses a promise to return the result. 614 615**Model restriction**: This API can be used only in the stage model. 616 617**System capability**: SystemCapability.Security.AccessToken 618 619**Parameters** 620 621| Name| Type| Mandatory| Description| 622| -------- | -------- | -------- | -------- | 623| context | Context | Yes| Ability context of the application that requests the permissions. | 624| permissionList | Array<Permissions> | Yes| Permissions requested. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 625 626**Return value** 627 628| Type| Description| 629| -------- | -------- | 630| Promise<[PermissionRequestResult](js-apis-permissionrequestresult.md)> | Promise used to return the result.| 631 632**Error codes** 633 634For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 635 636| ID| Error Message| 637| -------- | -------- | 638| 12100001 | The parameter is invalid. The context is invalid when it does not belong to the application itself. | 639 640**Example** 641 642 ```js 643import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 644let atManager = abilityAccessCtrl.createAtManager(); 645try { 646 atManager.requestPermissionsFromUser(this.context, ["ohos.permission.CAMERA"]).then((data) => { 647 console.info("data:" + JSON.stringify(data)); 648 console.info("data permissions:" + data.permissions); 649 console.info("data authResults:" + data.authResults); 650 }).catch((err) => { 651 console.info("data:" + JSON.stringify(err)); 652 }) 653} catch(err) { 654 console.log(`catch err->${JSON.stringify(err)}`); 655} 656 ``` 657 658### verifyAccessToken<sup>(deprecated)</sup> 659 660verifyAccessToken(tokenID: number, permissionName: string): Promise<GrantStatus> 661 662Verifies whether a permission is granted to an application. This API uses a promise to return the result. 663 664> **NOTE** 665> 666> This API is no longer maintained since API version 9. You are advised to use [checkAccessToken](#checkaccesstoken9). 667 668**System capability**: SystemCapability.Security.AccessToken 669 670**Parameters** 671 672| Name | Type | Mandatory| Description | 673| -------- | ------------------- | ---- | ------------------------------------------ | 674| tokenID | number | Yes | Token ID of the application. The value can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 675| permissionName | string | Yes | Permission to check.| 676 677**Return value** 678 679| Type | Description | 680| :------------ | :---------------------------------- | 681| Promise<GrantStatus> | Promise used to return the permission grant state.| 682 683**Example** 684 685```js 686import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 687 688let atManager = abilityAccessCtrl.createAtManager(); 689let tokenID = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 690let promise = atManager.verifyAccessToken(tokenID, "ohos.permission.GRANT_SENSITIVE_PERMISSIONS"); 691promise.then(data => { 692 console.log(`promise: data->${JSON.stringify(data)}`); 693}); 694``` 695 696### GrantStatus 697 698Enumerates the permission grant states. 699 700**System capability**: SystemCapability.Security.AccessToken 701 702| Name | Value| Description | 703| ------------------ | ----- | ----------- | 704| PERMISSION_DENIED | -1 | Permission denied.| 705| PERMISSION_GRANTED | 0 | Permission granted.| 706 707### PermissionStateChangeType<sup>9+</sup> 708 709Enumerates the operations that trigger permission grant state changes. 710 711**System API**: This is a system API. 712 713**System capability**: SystemCapability.Security.AccessToken 714 715| Name | Value| Description | 716| ----------------------- | ------ | ----------------- | 717| PERMISSION_REVOKED_OPER | 0 | Operation to revoke the permission.| 718| PERMISSION_GRANTED_OPER | 1 | Operation to grant the permission.| 719 720### PermissionStateChangeInfo<sup>9+</sup> 721 722Defines detailed information about the permission grant state change. 723 724**System API**: This is a system API. 725 726**System capability**: SystemCapability.Security.AccessToken 727 728| Name | Type | Readable| Writable| Description | 729| -------------- | ------------------------- | ---- | ---- | ------------------ | 730| change | [PermissionStateChangeType](#permissionstatechangetype9) | Yes | No | Operation that triggers the permission grant state change. | 731| tokenID | number | Yes | No | Token ID of the application. | 732| permissionName | Permissions | Yes | No | Permission whose grant state changes. For details about the permissions, see the [Application Permission List](../../security/permission-list.md). | 733 734