1# @ohos.abilityAccessCtrl (Application Access Control) 2 3The **AbilityAccessCtrl** module provides APIs for application permission management, including authentication, authorization, and revocation. 4 5> **NOTE** 6> 7> The initial APIs of this module are supported since API version 8. Newly added APIs will be marked with a superscript to indicate their earliest API version. 8 9## Modules to Import 10 11```js 12import abilityAccessCtrl from '@ohos.abilityAccessCtrl' 13``` 14 15## abilityAccessCtrl.createAtManager 16 17createAtManager(): AtManager 18 19Creates an **AtManager** instance, which is used for application access control. 20 21**System capability**: SystemCapability.Security.AccessToken 22 23 24**Return value** 25 26| Type| Description| 27| -------- | -------- | 28| [AtManager](#atmanager) | **AtManager** instance created.| 29 30**Example** 31 32```js 33let atManager = abilityAccessCtrl.createAtManager(); 34``` 35 36## AtManager 37 38Provides APIs for application access control. 39 40### checkAccessToken<sup>9+</sup> 41 42checkAccessToken(tokenID: number, permissionName: Permissions): Promise<GrantStatus> 43 44Checks whether a permission is granted to an application. This API uses a promise to return the result. 45 46**System capability**: SystemCapability.Security.AccessToken 47 48**Parameters** 49 50| Name | Type | Mandatory| Description | 51| -------- | ------------------- | ---- | ------------------------------------------ | 52| tokenID | number | Yes | Token ID of the application. The value can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 53| permissionName | Permissions | Yes | Permission to check. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 54 55**Return value** 56 57| Type | Description | 58| :------------ | :---------------------------------- | 59| Promise<GrantStatus> | Promise used to return the permission grant state.| 60 61**Error codes** 62 63For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 64 65| ID| Error Message| 66| -------- | -------- | 67| 12100001 | The parameter is invalid. The tokenID is 0, or the permissionName exceeds 256 bytes. | 68 69**Example** 70 71```js 72import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 73 74let atManager = abilityAccessCtrl.createAtManager(); 75let tokenID = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 76try { 77 atManager.checkAccessToken(tokenID, "ohos.permission.GRANT_SENSITIVE_PERMISSIONS").then((data) => { 78 console.log(`checkAccessToken success, data->${JSON.stringify(data)}`); 79 }).catch((err) => { 80 console.log(`checkAccessToken fail, err->${JSON.stringify(err)}`); 81 }); 82} catch(err) { 83 console.log(`catch err->${JSON.stringify(err)}`); 84} 85``` 86 87### verifyAccessTokenSync<sup>9+</sup> 88 89verifyAccessTokenSync(tokenID: number, permissionName: Permissions): GrantStatus 90 91Verifies whether a permission is granted to an application. This API returns the result synchronously. 92 93**System capability**: SystemCapability.Security.AccessToken 94 95**Parameters** 96 97| Name | Type | Mandatory| Description | 98| -------- | ------------------- | ---- | ------------------------------------------ | 99| tokenID | number | Yes | Token ID of the application. The value can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 100| permissionName | Permissions | Yes | Permission to verify. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 101 102**Return value** 103 104| Type | Description | 105| :------------ | :---------------------------------- | 106| [GrantStatus](#grantstatus) | Permission grant state.| 107 108**Error codes** 109 110For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 111 112| ID| Error Message| 113| -------- | -------- | 114| 12100001 | The parameter is invalid. The tokenID is 0, or the permissionName exceeds 256 bytes. | 115 116**Example** 117 118```js 119let atManager = abilityAccessCtrl.createAtManager(); 120let tokenID = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 121let data = atManager.verifyAccessTokenSync(tokenID, "ohos.permission.GRANT_SENSITIVE_PERMISSIONS"); 122console.log(`data->${JSON.stringify(data)}`); 123``` 124 125### grantUserGrantedPermission 126 127grantUserGrantedPermission(tokenID: number, permissionName: Permissions, permissionFlags: number): Promise<void> 128 129Grants a user_grant permission to an application. This API uses a promise to return the result. 130 131**System API**: This is a system API. 132 133**Required permissions**: ohos.permission.GRANT_SENSITIVE_PERMISSIONS (available only to system applications) 134 135**System capability**: SystemCapability.Security.AccessToken 136 137**Parameters** 138 139| Name | Type | Mandatory| Description | 140| --------- | ------------------- | ---- | ------------------------------------------------------------ | 141| tokenID | number | Yes | Token ID of the application. The value can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 142| permissionName | Permissions | Yes | Permission to grant. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 143| permissionFlags | number | Yes | Permission flag.<br>- **0**: The permission is not set by the user.<br>- **1**: A dialog box for user authorization will be displayed the next time if the user denies authorization for the permission.<br>- **2**: No dialog box will be displayed the next time if the user denies authorization for the permission. The permission must be granted by the user in **Settings**.<br>- **4**: The permission is authorized by the system and cannot be changed.| 144 145**Return value** 146 147| Type | Description | 148| :------------ | :---------------------------------- | 149| Promise<void> | Promise that returns no value.| 150 151**Error codes** 152 153For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 154 155| ID| Error Message| 156| -------- | -------- | 157| 12100001 | The parameter is invalid. The tokenID is 0, the permissionName exceeds 256 bytes, or the flags value is invalid. | 158| 12100002 | The specified tokenID does not exist. | 159| 12100003 | The specified permission does not exist. | 160| 12100006 | The application specified by the tokenID is not allowed to be granted with the specified permission. Either the application is a sandbox or the tokenID is from a remote device. | 161| 12100007 | Service is abnormal. | 162 163**Example** 164 165```js 166import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 167 168let atManager = abilityAccessCtrl.createAtManager(); 169let tokenID = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 170let permissionFlags = 1; 171try { 172 atManager.grantUserGrantedPermission(tokenID, "ohos.permission.GRANT_SENSITIVE_PERMISSIONS", permissionFlags).then(() => { 173 console.log('grantUserGrantedPermission success'); 174 }).catch((err) => { 175 console.log(`grantUserGrantedPermission fail, err->${JSON.stringify(err)}`); 176 }); 177} catch(err) { 178 console.log(`catch err->${JSON.stringify(err)}`); 179} 180``` 181 182### grantUserGrantedPermission 183 184grantUserGrantedPermission(tokenID: number, permissionName: Permissions, permissionFlags: number, callback: AsyncCallback<void>): void 185 186Grants a user_grant permission to an application. This API uses an asynchronous callback to return the result. 187 188**System API**: This is a system API. 189 190**Required permissions**: ohos.permission.GRANT_SENSITIVE_PERMISSIONS (available only to system applications) 191 192**System capability**: SystemCapability.Security.AccessToken 193 194**Parameters** 195 196| Name | Type | Mandatory| Description | 197| --------- | ------------------- | ---- | ------------------------------------------------------------ | 198| tokenID | number | Yes | Token ID of the application. The value can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md).| 199| permissionName | Permissions | Yes | Permission to grant. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 200| permissionFlags | number | Yes | Permission flag.<br>- **0**: The permission is not set by the user.<br>- **1**: A dialog box for user authorization will be displayed the next time if the user denies authorization for the permission.<br>- **2**: No dialog box will be displayed the next time if the user denies authorization for the permission. The permission must be granted by the user in **Settings**.<br>- **4**: The permission is authorized by the system and cannot be changed.| 201| callback | AsyncCallback<void> | Yes| Callback invoked to return the result. If the permission is granted, **err** is **undefined**. Otherwise, **err** is an error object.| 202 203**Error codes** 204 205For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 206 207| ID| Error Message| 208| -------- | -------- | 209| 12100001 | The parameter is invalid. The tokenID is 0, the permissionName exceeds 256 bytes, or the flags value is invalid. | 210| 12100002 | TokenId does not exist. | 211| 12100003 | Permission does not exist. | 212| 12100006 | The application specified by the tokenID is not allowed to be granted with the specified permission. Either the application is a sandbox or the tokenID is from a remote device. | 213| 12100007 | Service is abnormal. | 214 215**Example** 216 217```js 218import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 219 220let atManager = abilityAccessCtrl.createAtManager(); 221let tokenID = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 222let permissionFlags = 1; 223try { 224 atManager.grantUserGrantedPermission(tokenID, "ohos.permission.GRANT_SENSITIVE_PERMISSIONS", permissionFlags, (err, data) => { 225 if (err) { 226 console.log(`grantUserGrantedPermission fail, err->${JSON.stringify(err)}`); 227 } else { 228 console.log('grantUserGrantedPermission success'); 229 } 230 }); 231} catch(err) { 232 console.log(`catch err->${JSON.stringify(err)}`); 233} 234``` 235 236### revokeUserGrantedPermission 237 238revokeUserGrantedPermission(tokenID: number, permissionName: Permissions, permissionFlags: number): Promise<void> 239 240Revokes a user_grant permission from an application. This API uses a promise to return the result. 241 242**System API**: This is a system API. 243 244**Required permissions**: ohos.permission.REVOKE_SENSITIVE_PERMISSIONS (available only to system applications) 245 246**System capability**: SystemCapability.Security.AccessToken 247 248**Parameters** 249 250| Name | Type | Mandatory| Description | 251| --------- | ------------------- | ---- | ------------------------------------------------------------ | 252| tokenID | number | Yes | Token ID of the application. The value can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 253| permissionName | Permissions | Yes | Permission to revoke. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 254| permissionFlags | number | Yes | Permission flag.<br>- **0**: The permission is not set by the user.<br>- **1**: A dialog box for user authorization will be displayed the next time if the user denies authorization for the permission.<br>- **2**: No dialog box will be displayed the next time if the user denies authorization for the permission. The permission must be granted by the user in **Settings**.<br>- **4**: The permission is authorized by the system and cannot be changed.| 255 256**Return value** 257 258| Type | Description | 259| :------------ | :---------------------------------- | 260| Promise<void> | Promise that returns no value.| 261 262**Error codes** 263 264For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 265 266| ID| Error Message| 267| -------- | -------- | 268| 12100001 | The parameter is invalid. The tokenID is 0, the permissionName exceeds 256 bytes, or the flags value is invalid. | 269| 12100002 | The specified tokenID does not exist. | 270| 12100003 | The specified permission does not exist. | 271| 12100006 | The application specified by the tokenID is not allowed to be revoked with the specified permission. Either the application is a sandbox or the tokenID is from a remote device. | 272| 12100007 | Service is abnormal. | 273 274**Example** 275 276```js 277import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 278 279let atManager = abilityAccessCtrl.createAtManager(); 280let tokenID = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 281let permissionFlags = 1; 282try { 283 atManager.revokeUserGrantedPermission(tokenID, "ohos.permission.GRANT_SENSITIVE_PERMISSIONS", permissionFlags).then(() => { 284 console.log('revokeUserGrantedPermission success'); 285 }).catch((err) => { 286 console.log(`revokeUserGrantedPermission fail, err->${JSON.stringify(err)}`); 287 }); 288} catch(err) { 289 console.log(`catch err->${JSON.stringify(err)}`); 290} 291``` 292 293### revokeUserGrantedPermission 294 295revokeUserGrantedPermission(tokenID: number, permissionName: Permissions, permissionFlags: number, callback: AsyncCallback<void>): void 296 297Revokes a user_grant permission from an application. This API uses an asynchronous callback to return the result. 298 299**System API**: This is a system API. 300 301**Required permissions**: ohos.permission.REVOKE_SENSITIVE_PERMISSIONS (available only to system applications) 302 303**System capability**: SystemCapability.Security.AccessToken 304 305**Parameters** 306 307| Name | Type | Mandatory| Description | 308| --------- | ------------------- | ---- | ------------------------------------------------------------ | 309| tokenID | number | Yes | Token ID of the application. The value can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 310| permissionName | Permissions | Yes | Permission to revoke. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 311| permissionFlags | number | Yes | Permission flag.<br>- **0**: The permission is not set by the user.<br>- **1**: A dialog box for user authorization will be displayed the next time if the user denies authorization for the permission.<br>- **2**: No dialog box will be displayed the next time if the user denies authorization for the permission. The permission must be granted by the user in **Settings**.<br>- **4**: The permission is authorized by the system and cannot be changed.| 312| callback | AsyncCallback<void> | Yes| Callback invoked to return the result. If the permission is revoked, **err** is **undefined**. Otherwise, **err** is an error object.| 313 314**Error codes** 315 316For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 317 318| ID| Error Message| 319| -------- | -------- | 320| 12100001 | The parameter is invalid. The tokenID is 0, the permissionName exceeds 256 bytes, or the flags value is invalid. | 321| 12100002 | TokenId does not exist. | 322| 12100003 | Permission does not exist. | 323| 12100006 | The application specified by the tokenID is not allowed to be revoked with the specified permission. Either the application is a sandbox or the tokenID is from a remote device. | 324| 12100007 | Service is abnormal. | 325 326**Example** 327 328```js 329import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 330 331let atManager = abilityAccessCtrl.createAtManager(); 332let tokenID = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 333let permissionFlags = 1; 334try { 335 atManager.revokeUserGrantedPermission(tokenID, "ohos.permission.GRANT_SENSITIVE_PERMISSIONS", permissionFlags, (err, data) => { 336 if (err) { 337 console.log(`revokeUserGrantedPermission fail, err->${JSON.stringify(err)}`); 338 } else { 339 console.log('revokeUserGrantedPermission success'); 340 } 341 }); 342} catch(err) { 343 console.log(`catch err->${JSON.stringify(err)}`); 344} 345``` 346 347### getPermissionFlags 348 349getPermissionFlags(tokenID: number, permissionName: Permissions): Promise<number> 350 351Obtains the permission flag of an application. This API uses a promise to return the result. 352 353**System API**: This is a system API. 354 355**Required permissions**: ohos.permission.GET_SENSITIVE_PERMISSIONS, ohos.permission.GRANT_SENSITIVE_PERMISSIONS, or ohos.permission.REVOKE_SENSITIVE_PERMISSIONS (available only to system applications) 356 357**System capability**: SystemCapability.Security.AccessToken 358 359**Parameters** 360 361| Name | Type | Mandatory| Description | 362| --------- | ------------------- | ---- | ------------------------------------------------------------ | 363| tokenID | number | Yes | Token ID of the application. The value can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 364| permissionName | Permissions | Yes | Target permission. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 365 366**Return value** 367 368| Type | Description | 369| :------------ | :---------------------------------- | 370| Promise<number> | Promise used to return the permission flag obtained. | 371 372**Error codes** 373 374For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 375 376| ID| Error Message| 377| -------- | -------- | 378| 12100001 | The parameter is invalid. The tokenID is 0, or the permissionName exceeds 256 bytes. | 379| 12100002 | The specified tokenID does not exist. | 380| 12100003 | The specified permission does not exist. | 381| 12100006 | The operation is not allowed. Either the application is a sandbox or the tokenID is from a remote device. | 382| 12100007 | Service is abnormal. | 383 384**Example** 385 386```js 387import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 388 389let atManager = abilityAccessCtrl.createAtManager(); 390let tokenID = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 391try { 392 atManager.getPermissionFlags(tokenID, "ohos.permission.GRANT_SENSITIVE_PERMISSIONS").then((data) => { 393 console.log(`getPermissionFlags success, data->${JSON.stringify(data)}`); 394 }).catch((err) => { 395 console.log(`getPermissionFlags fail, err->${JSON.stringify(err)}`); 396 }); 397} catch(err) { 398 console.log(`catch err->${JSON.stringify(err)}`); 399} 400``` 401 402### getVersion<sup>9+</sup> 403 404getVersion(): Promise<number> 405 406Obtains the data version of the permission management. This API uses a promise to return the result. 407 408**System API**: This is a system API. 409 410**System capability**: SystemCapability.Security.AccessToken 411 412**Return value** 413 414| Type | Description | 415| :------------ | :---------------------------------- | 416| Promise<number> | Promise used to return the version.| 417 418**Example** 419 420```js 421let atManager = abilityAccessCtrl.createAtManager(); 422let promise = atManager.getVersion(); 423promise.then(data => { 424 console.log(`promise: data->${JSON.stringify(data)}`); 425}); 426``` 427 428### on<sup>9+</sup> 429 430on(type: 'permissionStateChange', tokenIDList: Array<number>, permissionList: Array<Permissions>, callback: Callback<PermissionStateChangeInfo>): void; 431 432Subscribes to permission state changes of the specified applications and permissions. 433 434**System API**: This is a system API. 435 436**Required permissions**: ohos.permission.GET_SENSITIVE_PERMISSIONS (available only to system applications) 437 438**System capability**: SystemCapability.Security.AccessToken 439 440**Parameters** 441 442| Name | Type | Mandatory| Description | 443| ------------------ | --------------------- | ---- | ------------------------------------------------------------ | 444| type | string | Yes | Event type to subscribe to. The value is **'permissionStateChange'**, which indicates the permission grant state change. | 445| tokenIDList | Array<number> | Yes | Token IDs of the applications to observe. If this parameter is left empty, the permission grant state changes of all applications are observed. | 446| permissionList | Array<Permissions> | Yes | Permissions to observe. If this parameter is left empty, the grant state changes of all permissions are observed. | 447| callback | Callback<[PermissionStateChangeInfo](#permissionstatechangeinfo9)> | Yes| Callback invoked to return the permission grant state change.| 448 449**Error codes** 450 451For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 452 453| ID| Error Message| 454| -------- | -------- | 455| 12100001 | The parameter is invalid. The tokenID is 0, or the permissionName exceeds 256 bytes. | 456| 12100004 | The interface is called repeatedly with the same input. | 457| 12100005 | The registration time has exceeded the limitation. | 458| 12100007 | Service is abnormal. | 459| 12100008 | Out of memory. | 460 461**Example** 462 463```js 464import abilityAccessCtrl, {Permissions} from '@ohos.abilityAccessCtrl'; 465import bundleManager from '@ohos.bundle.bundleManager'; 466 467let atManager = abilityAccessCtrl.createAtManager(); 468let appInfo = bundleManager.getApplicationInfoSync('com.example.myapplication', 0, 100); 469let tokenIDList: Array<number> = [appInfo.accessTokenId]; 470let permissionList: Array<Permissions> = ["ohos.permission.DISTRIBUTED_DATASYNC"]; 471try { 472 atManager.on('permissionStateChange', tokenIDList, permissionList, (data) => { 473 console.debug("receive permission state change, data:" + JSON.stringify(data)); 474 }); 475} catch(err) { 476 console.log(`catch err->${JSON.stringify(err)}`); 477} 478``` 479 480### off<sup>9+</sup> 481 482off(type: 'permissionStateChange', tokenIDList: Array<number>, permissionList: Array<Permissions>, callback?: Callback<PermissionStateChangeInfo>): void; 483 484Unsubscribes from permission grant state changes of the specified applications and permissions. This API uses a callback to return the result. 485 486**System API**: This is a system API. 487 488**Required permissions**: ohos.permission.GET_SENSITIVE_PERMISSIONS (available only to system applications) 489 490**System capability**: SystemCapability.Security.AccessToken 491 492**Parameters** 493 494| Name | Type | Mandatory| Description | 495| ------------------ | --------------------- | ---- | ------------------------------------------------------------ | 496| type | string | Yes | Event type to unsubscribe from. The value is **'permissionStateChange'**, which indicates the permission grant state change. | 497| tokenIDList | Array<number> | Yes | Token IDs of the applications. If this parameter is left empty, the permission grant state changes of all applications are unsubscribed from. The value must be the same as that passed in **on()**. | 498| permissionList | Array<Permissions> | Yes | Permission names. If this parameter is left empty, the grant state changes of all permissions are unsubscribed from. The value must be the same as that passed in **on()**. | 499| callback | Callback<[PermissionStateChangeInfo](#permissionstatechangeinfo9)> | No| Callback for the permission grant state change. | 500 501**Error codes** 502 503For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 504 505| ID| Error Message| 506| -------- | -------- | 507| 12100001 | The parameter is invalid. The tokenIDs or permissionNames in the list are all invalid. | 508| 12100004 | The interface is not used together with "on". | 509| 12100007 | Service is abnormal. | 510| 12100008 | Out of memory. | 511 512**Example** 513 514```js 515import abilityAccessCtrl, {Permissions} from '@ohos.abilityAccessCtrl'; 516import bundleManager from '@ohos.bundle.bundleManager'; 517 518let atManager = abilityAccessCtrl.createAtManager(); 519let appInfo = bundleManager.getApplicationInfoSync('com.example.myapplication', 0, 100); 520let tokenIDList: Array<number> = [appInfo.accessTokenId]; 521let permissionList: Array<Permissions> = ["ohos.permission.DISTRIBUTED_DATASYNC"]; 522try { 523 atManager.off('permissionStateChange', tokenIDList, permissionList); 524} catch(err) { 525 console.log(`catch err->${JSON.stringify(err)}`); 526} 527``` 528 529### verifyAccessToken<sup>9+</sup> 530 531verifyAccessToken(tokenID: number, permissionName: Permissions): Promise<GrantStatus> 532 533Verifies whether a permission is granted to an application. This API uses a promise to return the result. 534 535> **NOTE** 536> 537> You are advised to use [checkAccessToken](#checkaccesstoken9). 538 539**System capability**: SystemCapability.Security.AccessToken 540 541**Parameters** 542 543| Name | Type | Mandatory| Description | 544| -------- | ------------------- | ---- | ------------------------------------------ | 545| tokenID | number | Yes | Token ID of the application. The value can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 546| permissionName | Permissions | Yes | Permission to verify. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 547 548**Return value** 549 550| Type | Description | 551| :------------ | :---------------------------------- | 552| Promise<GrantStatus> | Promise used to return the permission grant state.| 553 554**Example** 555 556```js 557import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 558 559let atManager = abilityAccessCtrl.createAtManager(); 560let tokenID = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 561let promise = atManager.verifyAccessToken(tokenID, "ohos.permission.GRANT_SENSITIVE_PERMISSIONS"); 562promise.then(data => { 563 console.log(`promise: data->${JSON.stringify(data)}`); 564}); 565``` 566 567### requestPermissionsFromUser<sup>9+</sup> 568 569requestPermissionsFromUser(context: Context, permissionList: Array<Permissions>, requestCallback: AsyncCallback<PermissionRequestResult>) : void; 570 571Requests user authorization in a dialog box opened by a UIAbility. This API uses an asynchronous callback to return the result. 572> **NOTE** 573> 574> The API cannot be called by any non-UIAbility. 575 576**Model restriction**: This API can be used only in the stage model. 577 578**System capability**: SystemCapability.Security.AccessToken 579 580**Parameters** 581 582| Name| Type| Mandatory| Description| 583| -------- | -------- | -------- | -------- | 584| context | Context | Yes| Context of the UIAbility.| 585| permissionList | Array<Permissions> | Yes| Permissions requested. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 586| callback | AsyncCallback<[PermissionRequestResult](js-apis-permissionrequestresult.md)> | Yes| Callback invoked to return the result.| 587 588**Error codes** 589 590For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 591 592| ID| Error Message| 593| -------- | -------- | 594| 12100001 | The parameter is invalid. The context is invalid when it does not belong to the application itself. | 595 596**Example** 597 598 ```js 599import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 600let atManager = abilityAccessCtrl.createAtManager(); 601try { 602 atManager.requestPermissionsFromUser(this.context, ["ohos.permission.CAMERA"], (err, data)=>{ 603 console.info("data:" + JSON.stringify(data)); 604 console.info("data permissions:" + data.permissions); 605 console.info("data authResults:" + data.authResults); 606 }); 607} catch(err) { 608 console.log(`catch err->${JSON.stringify(err)}`); 609} 610 ``` 611 612### requestPermissionsFromUser<sup>9+</sup> 613 614requestPermissionsFromUser(context: Context, permissionList: Array<Permissions>) : Promise<PermissionRequestResult>; 615 616Requests user authorization in a dialog box opened by a UIAbility. This API uses a promise to return the result. 617 618> **NOTE** 619> 620> The API cannot be called by any non-UIAbility. 621 622**Model restriction**: This API can be used only in the stage model. 623 624**System capability**: SystemCapability.Security.AccessToken 625 626**Parameters** 627 628| Name| Type| Mandatory| Description| 629| -------- | -------- | -------- | -------- | 630| context | Context | Yes| Context of the UIAbility.| 631| permissionList | Array<Permissions> | Yes| Permissions requested. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 632 633**Return value** 634 635| Type| Description| 636| -------- | -------- | 637| Promise<[PermissionRequestResult](js-apis-permissionrequestresult.md)> | Promise used to return the result.| 638 639**Error codes** 640 641For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 642 643| ID| Error Message| 644| -------- | -------- | 645| 12100001 | The parameter is invalid. The context is invalid when it does not belong to the application itself. | 646 647**Example** 648 649 ```js 650import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 651let atManager = abilityAccessCtrl.createAtManager(); 652try { 653 atManager.requestPermissionsFromUser(this.context, ["ohos.permission.CAMERA"]).then((data) => { 654 console.info("data:" + JSON.stringify(data)); 655 console.info("data permissions:" + data.permissions); 656 console.info("data authResults:" + data.authResults); 657 }).catch((err) => { 658 console.info("data:" + JSON.stringify(err)); 659 }) 660} catch(err) { 661 console.log(`catch err->${JSON.stringify(err)}`); 662} 663 ``` 664 665### verifyAccessToken<sup>(deprecated)</sup> 666 667verifyAccessToken(tokenID: number, permissionName: string): Promise<GrantStatus> 668 669Verifies whether a permission is granted to an application. This API uses a promise to return the result. 670 671> **NOTE** 672> 673> This API is no longer maintained since API version 9. You are advised to use [checkAccessToken](#checkaccesstoken9). 674 675**System capability**: SystemCapability.Security.AccessToken 676 677**Parameters** 678 679| Name | Type | Mandatory| Description | 680| -------- | ------------------- | ---- | ------------------------------------------ | 681| tokenID | number | Yes | Token ID of the application. The value can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 682| permissionName | string | Yes | Permission to verify.| 683 684**Return value** 685 686| Type | Description | 687| :------------ | :---------------------------------- | 688| Promise<GrantStatus> | Promise used to return the permission grant state.| 689 690**Example** 691 692```js 693import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 694 695let atManager = abilityAccessCtrl.createAtManager(); 696let tokenID = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 697let promise = atManager.verifyAccessToken(tokenID, "ohos.permission.GRANT_SENSITIVE_PERMISSIONS"); 698promise.then(data => { 699 console.log(`promise: data->${JSON.stringify(data)}`); 700}); 701``` 702 703### GrantStatus 704 705Enumerates the permission grant states. 706 707**System capability**: SystemCapability.Security.AccessToken 708 709| Name | Value| Description | 710| ------------------ | ----- | ----------- | 711| PERMISSION_DENIED | -1 | Permission denied.| 712| PERMISSION_GRANTED | 0 | Permission granted.| 713 714### PermissionStateChangeType<sup>9+</sup> 715 716Enumerates the operations that trigger permission grant state changes. 717 718**System API**: This is a system API. 719 720**System capability**: SystemCapability.Security.AccessToken 721 722| Name | Value| Description | 723| ----------------------- | ------ | ----------------- | 724| PERMISSION_REVOKED_OPER | 0 | Operation to revoke the permission.| 725| PERMISSION_GRANTED_OPER | 1 | Operation to grant the permission.| 726 727### PermissionStateChangeInfo<sup>9+</sup> 728 729Defines detailed information about the permission grant state change. 730 731**System API**: This is a system API. 732 733**System capability**: SystemCapability.Security.AccessToken 734 735| Name | Type | Readable| Writable| Description | 736| -------------- | ------------------------- | ---- | ---- | ------------------ | 737| change | [PermissionStateChangeType](#permissionstatechangetype9) | Yes | No | Operation that triggers the permission grant state change. | 738| tokenID | number | Yes | No | Token ID of the application. | 739| permissionName | Permissions | Yes | No | Permission whose grant state changes. For details about the permissions, see the [Application Permission List](../../security/permission-list.md). | 740