• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# @ohos.abilityAccessCtrl (Application Access Control)
2
3The **AbilityAccessCtrl** module provides APIs for application permission management, including authentication, authorization, and revocation.
4
5> **NOTE**
6>
7> The initial APIs of this module are supported since API version 8. Newly added APIs will be marked with a superscript to indicate their earliest API version.
8
9## Modules to Import
10
11```js
12import abilityAccessCtrl from '@ohos.abilityAccessCtrl'
13```
14
15## abilityAccessCtrl.createAtManager
16
17createAtManager(): AtManager
18
19Creates an **AtManager** instance, which is used for application access control.
20
21**System capability**: SystemCapability.Security.AccessToken
22
23
24**Return value**
25
26| Type| Description|
27| -------- | -------- |
28| [AtManager](#atmanager) | **AtManager** instance created.|
29
30**Example**
31
32```js
33let atManager = abilityAccessCtrl.createAtManager();
34```
35
36## AtManager
37
38Provides APIs for application access control.
39
40### checkAccessToken<sup>9+</sup>
41
42checkAccessToken(tokenID: number, permissionName: Permissions): Promise&lt;GrantStatus&gt;
43
44Checks whether a permission is granted to an application. This API uses a promise to return the result.
45
46**System capability**: SystemCapability.Security.AccessToken
47
48**Parameters**
49
50| Name  | Type                | Mandatory| Description                                      |
51| -------- | -------------------  | ---- | ------------------------------------------ |
52| tokenID   |  number   | Yes  | Token ID of the application. The value can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md).            |
53| permissionName | Permissions | Yes  | Permission to check. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).|
54
55**Return value**
56
57| Type         | Description                               |
58| :------------ | :---------------------------------- |
59| Promise&lt;GrantStatus&gt; | Promise used to return the permission grant state.|
60
61**Error codes**
62
63For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md).
64
65| ID| Error Message|
66| -------- | -------- |
67| 12100001 | The parameter is invalid. The tokenID is 0, or the permissionName exceeds 256 bytes. |
68
69**Example**
70
71```js
72import abilityAccessCtrl from '@ohos.abilityAccessCtrl';
73
74let atManager = abilityAccessCtrl.createAtManager();
75let tokenID = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application.
76try {
77    atManager.checkAccessToken(tokenID, "ohos.permission.GRANT_SENSITIVE_PERMISSIONS").then((data) => {
78        console.log(`checkAccessToken success, data->${JSON.stringify(data)}`);
79    }).catch((err) => {
80        console.log(`checkAccessToken fail, err->${JSON.stringify(err)}`);
81    });
82} catch(err) {
83    console.log(`catch err->${JSON.stringify(err)}`);
84}
85```
86
87### verifyAccessTokenSync<sup>9+</sup>
88
89verifyAccessTokenSync(tokenID: number, permissionName: Permissions): GrantStatus
90
91Verifies whether a permission is granted to an application. This API returns the result synchronously.
92
93**System capability**: SystemCapability.Security.AccessToken
94
95**Parameters**
96
97| Name  | Type                | Mandatory| Description                                      |
98| -------- | -------------------  | ---- | ------------------------------------------ |
99| tokenID   |  number   | Yes  | Token ID of the application. The value can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md).             |
100| permissionName | Permissions | Yes  | Permission to verify. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).|
101
102**Return value**
103
104| Type         | Description                               |
105| :------------ | :---------------------------------- |
106| [GrantStatus](#grantstatus) | Permission grant state.|
107
108**Error codes**
109
110For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md).
111
112| ID| Error Message|
113| -------- | -------- |
114| 12100001 | The parameter is invalid. The tokenID is 0, or the permissionName exceeds 256 bytes. |
115
116**Example**
117
118```js
119let atManager = abilityAccessCtrl.createAtManager();
120let tokenID = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application.
121let data = atManager.verifyAccessTokenSync(tokenID, "ohos.permission.GRANT_SENSITIVE_PERMISSIONS");
122console.log(`data->${JSON.stringify(data)}`);
123```
124
125### grantUserGrantedPermission
126
127grantUserGrantedPermission(tokenID: number, permissionName: Permissions, permissionFlags: number): Promise&lt;void&gt;
128
129Grants a user_grant permission to an application. This API uses a promise to return the result.
130
131**System API**: This is a system API.
132
133**Required permissions**: ohos.permission.GRANT_SENSITIVE_PERMISSIONS (available only to system applications)
134
135**System capability**: SystemCapability.Security.AccessToken
136
137**Parameters**
138
139| Name   | Type               | Mandatory| Description                                                        |
140| --------- | ------------------- | ---- | ------------------------------------------------------------ |
141| tokenID      | number              | Yes  | Token ID of the application. The value can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md).           |
142| permissionName | Permissions              | Yes  | Permission to grant. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).|
143| permissionFlags  | number | Yes  | Permission flag.<br>- **0**: The permission is not set by the user.<br>- **1**: A dialog box for user authorization will be displayed the next time if the user denies authorization for the permission.<br>- **2**: No dialog box will be displayed the next time if the user denies authorization for the permission. The permission must be granted by the user in **Settings**.<br>- **4**: The permission is authorized by the system and cannot be changed.|
144
145**Return value**
146
147| Type         | Description                               |
148| :------------ | :---------------------------------- |
149| Promise&lt;void&gt; | Promise that returns no value.|
150
151**Error codes**
152
153For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md).
154
155| ID| Error Message|
156| -------- | -------- |
157| 12100001 | The parameter is invalid. The tokenID is 0, the permissionName exceeds 256 bytes, or the flags value is invalid. |
158| 12100002 | The specified tokenID does not exist. |
159| 12100003 | The specified permission does not exist. |
160| 12100006 | The application specified by the tokenID is not allowed to be granted with the specified permission. Either the application is a sandbox or the tokenID is from a remote device. |
161| 12100007 | Service is abnormal. |
162
163**Example**
164
165```js
166import abilityAccessCtrl from '@ohos.abilityAccessCtrl';
167
168let atManager = abilityAccessCtrl.createAtManager();
169let tokenID = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application.
170let permissionFlags = 1;
171try {
172    atManager.grantUserGrantedPermission(tokenID, "ohos.permission.GRANT_SENSITIVE_PERMISSIONS", permissionFlags).then(() => {
173        console.log('grantUserGrantedPermission success');
174    }).catch((err) => {
175        console.log(`grantUserGrantedPermission fail, err->${JSON.stringify(err)}`);
176    });
177} catch(err) {
178    console.log(`catch err->${JSON.stringify(err)}`);
179}
180```
181
182### grantUserGrantedPermission
183
184grantUserGrantedPermission(tokenID: number, permissionName: Permissions, permissionFlags: number, callback: AsyncCallback&lt;void&gt;): void
185
186Grants a user_grant permission to an application. This API uses an asynchronous callback to return the result.
187
188**System API**: This is a system API.
189
190**Required permissions**: ohos.permission.GRANT_SENSITIVE_PERMISSIONS (available only to system applications)
191
192**System capability**: SystemCapability.Security.AccessToken
193
194**Parameters**
195
196| Name   | Type               | Mandatory| Description                         |
197| --------- | ------------------- | ---- | ------------------------------------------------------------ |
198| tokenID      | number              | Yes  | Token ID of the application. The value can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md).|
199| permissionName | Permissions              | Yes  | Permission to grant. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).|
200| permissionFlags  | number | Yes  | Permission flag.<br>- **0**: The permission is not set by the user.<br>- **1**: A dialog box for user authorization will be displayed the next time if the user denies authorization for the permission.<br>- **2**: No dialog box will be displayed the next time if the user denies authorization for the permission. The permission must be granted by the user in **Settings**.<br>- **4**: The permission is authorized by the system and cannot be changed.|
201| callback | AsyncCallback&lt;void&gt; | Yes| Callback invoked to return the result. If the permission is granted, **err** is **undefined**. Otherwise, **err** is an error object.|
202
203**Error codes**
204
205For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md).
206
207| ID| Error Message|
208| -------- | -------- |
209| 12100001 | The parameter is invalid. The tokenID is 0, the permissionName exceeds 256 bytes, or the flags value is invalid. |
210| 12100002 | TokenId does not exist. |
211| 12100003 | Permission does not exist. |
212| 12100006 | The application specified by the tokenID is not allowed to be granted with the specified permission. Either the application is a sandbox or the tokenID is from a remote device. |
213| 12100007 | Service is abnormal. |
214
215**Example**
216
217```js
218import abilityAccessCtrl from '@ohos.abilityAccessCtrl';
219
220let atManager = abilityAccessCtrl.createAtManager();
221let tokenID = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application.
222let permissionFlags = 1;
223try {
224    atManager.grantUserGrantedPermission(tokenID, "ohos.permission.GRANT_SENSITIVE_PERMISSIONS", permissionFlags, (err, data) => {
225        if (err) {
226            console.log(`grantUserGrantedPermission fail, err->${JSON.stringify(err)}`);
227        } else {
228            console.log('grantUserGrantedPermission success');
229        }
230    });
231} catch(err) {
232    console.log(`catch err->${JSON.stringify(err)}`);
233}
234```
235
236### revokeUserGrantedPermission
237
238revokeUserGrantedPermission(tokenID: number, permissionName: Permissions, permissionFlags: number): Promise&lt;void&gt;
239
240Revokes a user_grant permission from an application. This API uses a promise to return the result.
241
242**System API**: This is a system API.
243
244**Required permissions**: ohos.permission.REVOKE_SENSITIVE_PERMISSIONS (available only to system applications)
245
246**System capability**: SystemCapability.Security.AccessToken
247
248**Parameters**
249
250| Name   | Type               | Mandatory| Description                                                        |
251| --------- | ------------------- | ---- | ------------------------------------------------------------ |
252| tokenID      | number              | Yes  | Token ID of the application. The value can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md).          |
253| permissionName | Permissions              | Yes  | Permission to revoke. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).|
254| permissionFlags  | number | Yes  | Permission flag.<br>- **0**: The permission is not set by the user.<br>- **1**: A dialog box for user authorization will be displayed the next time if the user denies authorization for the permission.<br>- **2**: No dialog box will be displayed the next time if the user denies authorization for the permission. The permission must be granted by the user in **Settings**.<br>- **4**: The permission is authorized by the system and cannot be changed.|
255
256**Return value**
257
258| Type         | Description                               |
259| :------------ | :---------------------------------- |
260| Promise&lt;void&gt; | Promise that returns no value.|
261
262**Error codes**
263
264For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md).
265
266| ID| Error Message|
267| -------- | -------- |
268| 12100001 | The parameter is invalid. The tokenID is 0, the permissionName exceeds 256 bytes, or the flags value is invalid. |
269| 12100002 | The specified tokenID does not exist. |
270| 12100003 | The specified permission does not exist. |
271| 12100006 | The application specified by the tokenID is not allowed to be revoked with the specified permission. Either the application is a sandbox or the tokenID is from a remote device. |
272| 12100007 | Service is abnormal. |
273
274**Example**
275
276```js
277import abilityAccessCtrl from '@ohos.abilityAccessCtrl';
278
279let atManager = abilityAccessCtrl.createAtManager();
280let tokenID = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application.
281let permissionFlags = 1;
282try {
283    atManager.revokeUserGrantedPermission(tokenID, "ohos.permission.GRANT_SENSITIVE_PERMISSIONS", permissionFlags).then(() => {
284        console.log('revokeUserGrantedPermission success');
285    }).catch((err) => {
286        console.log(`revokeUserGrantedPermission fail, err->${JSON.stringify(err)}`);
287    });
288} catch(err) {
289    console.log(`catch err->${JSON.stringify(err)}`);
290}
291```
292
293### revokeUserGrantedPermission
294
295revokeUserGrantedPermission(tokenID: number, permissionName: Permissions, permissionFlags: number, callback: AsyncCallback&lt;void&gt;): void
296
297Revokes a user_grant permission from an application. This API uses an asynchronous callback to return the result.
298
299**System API**: This is a system API.
300
301**Required permissions**: ohos.permission.REVOKE_SENSITIVE_PERMISSIONS (available only to system applications)
302
303**System capability**: SystemCapability.Security.AccessToken
304
305**Parameters**
306
307| Name   | Type               | Mandatory| Description                         |
308| --------- | ------------------- | ---- | ------------------------------------------------------------ |
309| tokenID      | number              | Yes  | Token ID of the application. The value can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md).          |
310| permissionName | Permissions              | Yes  | Permission to revoke. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).|
311| permissionFlags  | number | Yes  | Permission flag.<br>- **0**: The permission is not set by the user.<br>- **1**: A dialog box for user authorization will be displayed the next time if the user denies authorization for the permission.<br>- **2**: No dialog box will be displayed the next time if the user denies authorization for the permission. The permission must be granted by the user in **Settings**.<br>- **4**: The permission is authorized by the system and cannot be changed.|
312| callback | AsyncCallback&lt;void&gt; | Yes| Callback invoked to return the result. If the permission is revoked, **err** is **undefined**. Otherwise, **err** is an error object.|
313
314**Error codes**
315
316For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md).
317
318| ID| Error Message|
319| -------- | -------- |
320| 12100001 | The parameter is invalid. The tokenID is 0, the permissionName exceeds 256 bytes, or the flags value is invalid. |
321| 12100002 | TokenId does not exist. |
322| 12100003 | Permission does not exist. |
323| 12100006 | The application specified by the tokenID is not allowed to be revoked with the specified permission. Either the application is a sandbox or the tokenID is from a remote device. |
324| 12100007 | Service is abnormal. |
325
326**Example**
327
328```js
329import abilityAccessCtrl from '@ohos.abilityAccessCtrl';
330
331let atManager = abilityAccessCtrl.createAtManager();
332let tokenID = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application.
333let permissionFlags = 1;
334try {
335    atManager.revokeUserGrantedPermission(tokenID, "ohos.permission.GRANT_SENSITIVE_PERMISSIONS", permissionFlags, (err, data) => {
336        if (err) {
337            console.log(`revokeUserGrantedPermission fail, err->${JSON.stringify(err)}`);
338        } else {
339            console.log('revokeUserGrantedPermission success');
340        }
341    });
342} catch(err) {
343    console.log(`catch err->${JSON.stringify(err)}`);
344}
345```
346
347### getPermissionFlags
348
349getPermissionFlags(tokenID: number, permissionName: Permissions): Promise&lt;number&gt;
350
351Obtains the permission flag of an application. This API uses a promise to return the result.
352
353**System API**: This is a system API.
354
355**Required permissions**: ohos.permission.GET_SENSITIVE_PERMISSIONS, ohos.permission.GRANT_SENSITIVE_PERMISSIONS, or ohos.permission.REVOKE_SENSITIVE_PERMISSIONS (available only to system applications)
356
357**System capability**: SystemCapability.Security.AccessToken
358
359**Parameters**
360
361| Name   | Type               | Mandatory| Description                         |
362| --------- | ------------------- | ---- | ------------------------------------------------------------ |
363| tokenID      | number              | Yes  | Token ID of the application. The value can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md).           |
364| permissionName | Permissions              | Yes  | Target permission. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).|
365
366**Return value**
367
368| Type         | Description                               |
369| :------------ | :---------------------------------- |
370| Promise&lt;number&gt; | Promise used to return the permission flag obtained. |
371
372**Error codes**
373
374For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md).
375
376| ID| Error Message|
377| -------- | -------- |
378| 12100001 | The parameter is invalid. The tokenID is 0, or the permissionName exceeds 256 bytes. |
379| 12100002 | The specified tokenID does not exist. |
380| 12100003 | The specified permission does not exist. |
381| 12100006 | The operation is not allowed. Either the application is a sandbox or the tokenID is from a remote device. |
382| 12100007 | Service is abnormal. |
383
384**Example**
385
386```js
387import abilityAccessCtrl from '@ohos.abilityAccessCtrl';
388
389let atManager = abilityAccessCtrl.createAtManager();
390let tokenID = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application.
391try {
392    atManager.getPermissionFlags(tokenID, "ohos.permission.GRANT_SENSITIVE_PERMISSIONS").then((data) => {
393        console.log(`getPermissionFlags success, data->${JSON.stringify(data)}`);
394    }).catch((err) => {
395        console.log(`getPermissionFlags fail, err->${JSON.stringify(err)}`);
396    });
397} catch(err) {
398    console.log(`catch err->${JSON.stringify(err)}`);
399}
400```
401
402### getVersion<sup>9+</sup>
403
404getVersion(): Promise&lt;number&gt;
405
406Obtains the data version of the permission management. This API uses a promise to return the result.
407
408**System API**: This is a system API.
409
410**System capability**: SystemCapability.Security.AccessToken
411
412**Return value**
413
414| Type         | Description                               |
415| :------------ | :---------------------------------- |
416| Promise&lt;number&gt; | Promise used to return the version.|
417
418**Example**
419
420```js
421let atManager = abilityAccessCtrl.createAtManager();
422let promise = atManager.getVersion();
423promise.then(data => {
424    console.log(`promise: data->${JSON.stringify(data)}`);
425});
426```
427
428### on<sup>9+</sup>
429
430on(type: 'permissionStateChange', tokenIDList: Array&lt;number&gt;, permissionList: Array&lt;Permissions&gt;, callback: Callback&lt;PermissionStateChangeInfo&gt;): void;
431
432Subscribes to permission state changes of the specified applications and permissions.
433
434**System API**: This is a system API.
435
436**Required permissions**: ohos.permission.GET_SENSITIVE_PERMISSIONS (available only to system applications)
437
438**System capability**: SystemCapability.Security.AccessToken
439
440**Parameters**
441
442| Name            | Type                  | Mandatory| Description                                                         |
443| ------------------ | --------------------- | ---- | ------------------------------------------------------------ |
444| type               | string                | Yes  | Event type to subscribe to. The value is **'permissionStateChange'**, which indicates the permission grant state change. |
445| tokenIDList        | Array&lt;number&gt;   | Yes  | Token IDs of the applications to observe. If this parameter is left empty, the permission grant state changes of all applications are observed. |
446| permissionList | Array&lt;Permissions&gt;   | Yes  | Permissions to observe. If this parameter is left empty, the grant state changes of all permissions are observed. |
447| callback | Callback&lt;[PermissionStateChangeInfo](#permissionstatechangeinfo9)&gt; | Yes| Callback invoked to return the permission grant state change.|
448
449**Error codes**
450
451For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md).
452
453| ID| Error Message|
454| -------- | -------- |
455| 12100001 | The parameter is invalid. The tokenID is 0, or the permissionName exceeds 256 bytes. |
456| 12100004 | The interface is called repeatedly with the same input. |
457| 12100005 | The registration time has exceeded the limitation. |
458| 12100007 | Service is abnormal. |
459| 12100008 | Out of memory. |
460
461**Example**
462
463```js
464import abilityAccessCtrl, {Permissions} from '@ohos.abilityAccessCtrl';
465import bundleManager from '@ohos.bundle.bundleManager';
466
467let atManager = abilityAccessCtrl.createAtManager();
468let appInfo = bundleManager.getApplicationInfoSync('com.example.myapplication', 0, 100);
469let tokenIDList: Array<number> = [appInfo.accessTokenId];
470let permissionList: Array<Permissions> = ["ohos.permission.DISTRIBUTED_DATASYNC"];
471try {
472    atManager.on('permissionStateChange', tokenIDList, permissionList, (data) => {
473        console.debug("receive permission state change, data:" + JSON.stringify(data));
474    });
475} catch(err) {
476    console.log(`catch err->${JSON.stringify(err)}`);
477}
478```
479
480### off<sup>9+</sup>
481
482off(type: 'permissionStateChange', tokenIDList: Array&lt;number&gt;, permissionList: Array&lt;Permissions&gt;, callback?: Callback&lt;PermissionStateChangeInfo&gt;): void;
483
484Unsubscribes from permission grant state changes of the specified applications and permissions. This API uses a callback to return the result.
485
486**System API**: This is a system API.
487
488**Required permissions**: ohos.permission.GET_SENSITIVE_PERMISSIONS (available only to system applications)
489
490**System capability**: SystemCapability.Security.AccessToken
491
492**Parameters**
493
494| Name            | Type                  | Mandatory| Description                                                         |
495| ------------------ | --------------------- | ---- | ------------------------------------------------------------ |
496| type               | string                | Yes  | Event type to unsubscribe from. The value is **'permissionStateChange'**, which indicates the permission grant state change. |
497| tokenIDList        | Array&lt;number&gt;   | Yes  | Token IDs of the applications. If this parameter is left empty, the permission grant state changes of all applications are unsubscribed from. The value must be the same as that passed in **on()**. |
498| permissionList | Array&lt;Permissions&gt;   | Yes  | Permission names. If this parameter is left empty, the grant state changes of all permissions are unsubscribed from. The value must be the same as that passed in **on()**. |
499| callback | Callback&lt;[PermissionStateChangeInfo](#permissionstatechangeinfo9)&gt; | No| Callback for the permission grant state change. |
500
501**Error codes**
502
503For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md).
504
505| ID| Error Message|
506| -------- | -------- |
507| 12100001 | The parameter is invalid. The tokenIDs or permissionNames in the list are all invalid. |
508| 12100004 | The interface is not used together with "on". |
509| 12100007 | Service is abnormal. |
510| 12100008 | Out of memory. |
511
512**Example**
513
514```js
515import abilityAccessCtrl, {Permissions} from '@ohos.abilityAccessCtrl';
516import bundleManager from '@ohos.bundle.bundleManager';
517
518let atManager = abilityAccessCtrl.createAtManager();
519let appInfo = bundleManager.getApplicationInfoSync('com.example.myapplication', 0, 100);
520let tokenIDList: Array<number> = [appInfo.accessTokenId];
521let permissionList: Array<Permissions> = ["ohos.permission.DISTRIBUTED_DATASYNC"];
522try {
523    atManager.off('permissionStateChange', tokenIDList, permissionList);
524} catch(err) {
525    console.log(`catch err->${JSON.stringify(err)}`);
526}
527```
528
529### verifyAccessToken<sup>9+</sup>
530
531verifyAccessToken(tokenID: number, permissionName: Permissions): Promise&lt;GrantStatus&gt;
532
533Verifies whether a permission is granted to an application. This API uses a promise to return the result.
534
535> **NOTE**
536>
537> You are advised to use [checkAccessToken](#checkaccesstoken9).
538
539**System capability**: SystemCapability.Security.AccessToken
540
541**Parameters**
542
543| Name  | Type                | Mandatory| Description                                      |
544| -------- | -------------------  | ---- | ------------------------------------------ |
545| tokenID   |  number   | Yes  | Token ID of the application. The value can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md).            |
546| permissionName | Permissions | Yes  | Permission to verify. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).|
547
548**Return value**
549
550| Type         | Description                               |
551| :------------ | :---------------------------------- |
552| Promise&lt;GrantStatus&gt; | Promise used to return the permission grant state.|
553
554**Example**
555
556```js
557import abilityAccessCtrl from '@ohos.abilityAccessCtrl';
558
559let atManager = abilityAccessCtrl.createAtManager();
560let tokenID = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application.
561let promise = atManager.verifyAccessToken(tokenID, "ohos.permission.GRANT_SENSITIVE_PERMISSIONS");
562promise.then(data => {
563    console.log(`promise: data->${JSON.stringify(data)}`);
564});
565```
566
567### requestPermissionsFromUser<sup>9+</sup>
568
569requestPermissionsFromUser(context: Context, permissionList: Array&lt;Permissions&gt;, requestCallback: AsyncCallback&lt;PermissionRequestResult&gt;) : void;
570
571Requests user authorization in a dialog box opened by a UIAbility. This API uses an asynchronous callback to return the result.
572> **NOTE**
573>
574> The API cannot be called by any non-UIAbility.
575
576**Model restriction**: This API can be used only in the stage model.
577
578**System capability**: SystemCapability.Security.AccessToken
579
580**Parameters**
581
582| Name| Type| Mandatory| Description|
583| -------- | -------- | -------- | -------- |
584| context | Context | Yes| Context of the UIAbility.|
585| permissionList | Array&lt;Permissions&gt; | Yes| Permissions requested. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).|
586| callback | AsyncCallback&lt;[PermissionRequestResult](js-apis-permissionrequestresult.md)&gt; | Yes| Callback invoked to return the result.|
587
588**Error codes**
589
590For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md).
591
592| ID| Error Message|
593| -------- | -------- |
594| 12100001 | The parameter is invalid. The context is invalid when it does not belong to the application itself. |
595
596**Example**
597
598  ```js
599import abilityAccessCtrl from '@ohos.abilityAccessCtrl';
600let atManager = abilityAccessCtrl.createAtManager();
601try {
602    atManager.requestPermissionsFromUser(this.context, ["ohos.permission.CAMERA"], (err, data)=>{
603        console.info("data:" + JSON.stringify(data));
604        console.info("data permissions:" + data.permissions);
605        console.info("data authResults:" + data.authResults);
606    });
607} catch(err) {
608    console.log(`catch err->${JSON.stringify(err)}`);
609}
610  ```
611
612### requestPermissionsFromUser<sup>9+</sup>
613
614requestPermissionsFromUser(context: Context, permissionList: Array&lt;Permissions&gt;) : Promise&lt;PermissionRequestResult&gt;;
615
616Requests user authorization in a dialog box opened by a UIAbility. This API uses a promise to return the result.
617
618> **NOTE**
619>
620> The API cannot be called by any non-UIAbility.
621
622**Model restriction**: This API can be used only in the stage model.
623
624**System capability**: SystemCapability.Security.AccessToken
625
626**Parameters**
627
628| Name| Type| Mandatory| Description|
629| -------- | -------- | -------- | -------- |
630| context | Context | Yes| Context of the UIAbility.|
631| permissionList | Array&lt;Permissions&gt; | Yes| Permissions requested. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).|
632
633**Return value**
634
635| Type| Description|
636| -------- | -------- |
637| Promise&lt;[PermissionRequestResult](js-apis-permissionrequestresult.md)&gt; | Promise used to return the result.|
638
639**Error codes**
640
641For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md).
642
643| ID| Error Message|
644| -------- | -------- |
645| 12100001 | The parameter is invalid. The context is invalid when it does not belong to the application itself. |
646
647**Example**
648
649  ```js
650import abilityAccessCtrl from '@ohos.abilityAccessCtrl';
651let atManager = abilityAccessCtrl.createAtManager();
652try {
653    atManager.requestPermissionsFromUser(this.context, ["ohos.permission.CAMERA"]).then((data) => {
654        console.info("data:" + JSON.stringify(data));
655        console.info("data permissions:" + data.permissions);
656        console.info("data authResults:" + data.authResults);
657    }).catch((err) => {
658        console.info("data:" + JSON.stringify(err));
659    })
660} catch(err) {
661    console.log(`catch err->${JSON.stringify(err)}`);
662}
663  ```
664
665### verifyAccessToken<sup>(deprecated)</sup>
666
667verifyAccessToken(tokenID: number, permissionName: string): Promise&lt;GrantStatus&gt;
668
669Verifies whether a permission is granted to an application. This API uses a promise to return the result.
670
671> **NOTE**
672>
673> This API is no longer maintained since API version 9. You are advised to use [checkAccessToken](#checkaccesstoken9).
674
675**System capability**: SystemCapability.Security.AccessToken
676
677**Parameters**
678
679| Name  | Type                | Mandatory| Description                                      |
680| -------- | -------------------  | ---- | ------------------------------------------ |
681| tokenID   |  number   | Yes  | Token ID of the application. The value can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md).            |
682| permissionName | string | Yes  | Permission to verify.|
683
684**Return value**
685
686| Type         | Description                               |
687| :------------ | :---------------------------------- |
688| Promise&lt;GrantStatus&gt; | Promise used to return the permission grant state.|
689
690**Example**
691
692```js
693import abilityAccessCtrl from '@ohos.abilityAccessCtrl';
694
695let atManager = abilityAccessCtrl.createAtManager();
696let tokenID = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application.
697let promise = atManager.verifyAccessToken(tokenID, "ohos.permission.GRANT_SENSITIVE_PERMISSIONS");
698promise.then(data => {
699    console.log(`promise: data->${JSON.stringify(data)}`);
700});
701```
702
703### GrantStatus
704
705Enumerates the permission grant states.
706
707**System capability**: SystemCapability.Security.AccessToken
708
709| Name              |    Value| Description       |
710| ------------------ | ----- | ----------- |
711| PERMISSION_DENIED  | -1    | Permission denied.|
712| PERMISSION_GRANTED | 0     | Permission granted.|
713
714### PermissionStateChangeType<sup>9+</sup>
715
716Enumerates the operations that trigger permission grant state changes.
717
718**System API**: This is a system API.
719
720**System capability**: SystemCapability.Security.AccessToken
721
722| Name                    |    Value| Description             |
723| ----------------------- | ------ | ----------------- |
724| PERMISSION_REVOKED_OPER | 0      | Operation to revoke the permission.|
725| PERMISSION_GRANTED_OPER | 1      | Operation to grant the permission.|
726
727### PermissionStateChangeInfo<sup>9+</sup>
728
729Defines detailed information about the permission grant state change.
730
731**System API**: This is a system API.
732
733**System capability**: SystemCapability.Security.AccessToken
734
735| Name          | Type                      | Readable| Writable| Description               |
736| -------------- | ------------------------- | ---- | ---- | ------------------ |
737| change         | [PermissionStateChangeType](#permissionstatechangetype9) | Yes  | No  | Operation that triggers the permission grant state change.       |
738| tokenID        | number                    | Yes  | No  | Token ID of the application. |
739| permissionName | Permissions                    | Yes  | No  | Permission whose grant state changes. For details about the permissions, see the [Application Permission List](../../security/permission-list.md). |
740