1# @ohos.abilityAccessCtrl (Application Access Control) 2 3The **abilityAccessCtrl** module provides APIs for application permission management, including authentication, authorization, and revocation. 4 5> **NOTE** 6> 7> The initial APIs of this module are supported since API version 8. Newly added APIs will be marked with a superscript to indicate their earliest API version. 8 9## Modules to Import 10 11```ts 12import abilityAccessCtrl from '@ohos.abilityAccessCtrl' 13``` 14 15## abilityAccessCtrl.createAtManager 16 17createAtManager(): AtManager 18 19Creates an **AtManager** instance, which is used for application access control. 20 21**System capability**: SystemCapability.Security.AccessToken 22 23 24**Return value** 25 26| Type| Description| 27| -------- | -------- | 28| [AtManager](#atmanager) | **AtManager** instance created.| 29 30**Example** 31 32```ts 33let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 34``` 35 36## AtManager 37 38Provides APIs for application access control. 39 40### checkAccessToken<sup>9+</sup> 41 42checkAccessToken(tokenID: number, permissionName: Permissions): Promise<GrantStatus> 43 44Checks whether a permission is granted to an application. This API uses a promise to return the result. 45 46**System capability**: SystemCapability.Security.AccessToken 47 48**Parameters** 49 50| Name | Type | Mandatory| Description | 51| -------- | ------------------- | ---- | ------------------------------------------ | 52| tokenID | number | Yes | Application token ID, which can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 53| permissionName | Permissions | Yes | Permission to check. For details about the permissions, see [Permissions for All Applications](../../security/AccessToken/permissions-for-all.md).| 54 55**Return value** 56 57| Type | Description | 58| :------------ | :---------------------------------- | 59| Promise<GrantStatus> | Promise used to return the permission grant state.| 60 61**Error codes** 62 63For details about the error codes, see [Access Control Error Codes](../errorcodes/errorcode-access-token.md). 64 65| ID| Error Message| 66| -------- | -------- | 67| 12100001 | The parameter is invalid. The tokenID is 0, or permissionName exceeds 256 bytes.| 68 69**Example** 70 71```ts 72import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 73import { BusinessError } from '@ohos.base'; 74 75let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 76let tokenID: number = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 77try { 78 atManager.checkAccessToken(tokenID, 'ohos.permission.GRANT_SENSITIVE_PERMISSIONS').then((data: abilityAccessCtrl.GrantStatus) => { 79 console.log(`checkAccessToken success, data->${JSON.stringify(data)}`); 80 }).catch((err: BusinessError) => { 81 console.log(`checkAccessToken fail, err->${JSON.stringify(err)}`); 82 }); 83} catch(err) { 84 console.log(`catch err->${JSON.stringify(err)}`); 85} 86``` 87 88### verifyAccessTokenSync<sup>9+</sup> 89 90verifyAccessTokenSync(tokenID: number, permissionName: Permissions): GrantStatus 91 92Verifies whether a permission is granted to an application. This API returns the result synchronously. 93 94**System capability**: SystemCapability.Security.AccessToken 95 96**Parameters** 97 98| Name | Type | Mandatory| Description | 99| -------- | ------------------- | ---- | ------------------------------------------ | 100| tokenID | number | Yes | Application token ID, which can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 101| permissionName | Permissions | Yes | Permission to verify. For details about the permissions, see [Permissions for All Applications](../../security/AccessToken/permissions-for-all.md).| 102 103**Return value** 104 105| Type | Description | 106| :------------ | :---------------------------------- | 107| [GrantStatus](#grantstatus) | Permission grant state.| 108 109**Error codes** 110 111For details about the error codes, see [Access Control Error Codes](../errorcodes/errorcode-access-token.md). 112 113| ID| Error Message| 114| -------- | -------- | 115| 12100001 | The parameter is invalid. The tokenID is 0, or permissionName exceeds 256 bytes.| 116 117**Example** 118 119```ts 120import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 121 122let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 123let tokenID: number = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 124let data: abilityAccessCtrl.GrantStatus = atManager.verifyAccessTokenSync(tokenID, 'ohos.permission.GRANT_SENSITIVE_PERMISSIONS'); 125console.log(`data->${JSON.stringify(data)}`); 126``` 127 128### grantUserGrantedPermission 129 130grantUserGrantedPermission(tokenID: number, permissionName: Permissions, permissionFlags: number): Promise<void> 131 132Grants a user_grant permission to an application. This API uses a promise to return the result. 133 134**System API**: This is a system API. 135 136**Required permissions**: ohos.permission.GRANT_SENSITIVE_PERMISSIONS (available only to system applications) 137 138**System capability**: SystemCapability.Security.AccessToken 139 140**Parameters** 141 142| Name | Type | Mandatory| Description | 143| --------- | ------------------- | ---- | ------------------------------------------------------------ | 144| tokenID | number | Yes | Application token ID, which can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 145| permissionName | Permissions | Yes | Permission to grant. For details about the permissions, see [Permissions for All Applications](../../security/AccessToken/permissions-for-all.md).| 146| permissionFlags | number | Yes | Permission flag.<br>- **1**: A dialog box for user authorization will be displayed the next time if the user denies authorization for the permission.<br>- **2**: No dialog box will be displayed the next time if the user denies authorization for the permission. The permission must be granted by the user in **Settings**.<br>- **64**: The permission is granted to the user only this time. The authorization is revoked after the application switches to the background or exits.| 147 148**Return value** 149 150| Type | Description | 151| :------------ | :---------------------------------- | 152| Promise<void> | Promise that returns no value.| 153 154**Error codes** 155 156For details about the error codes, see [Access Control Error Codes](../errorcodes/errorcode-access-token.md). 157 158| ID| Error Message| 159| -------- | -------- | 160| 12100001 | The parameter is invalid. The tokenID is 0, the permissionName exceeds 256 bytes, or the flags value is invalid.| 161| 12100002 | The specified tokenID does not exist. | 162| 12100003 | The specified permission does not exist. | 163| 12100006 | The application specified by the tokenID is not allowed to be granted with the specified permission. Either the application is a sandbox or the tokenID is from a remote device. | 164| 12100007 | Service is abnormal. | 165 166**Example** 167 168```ts 169import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 170import { BusinessError } from '@ohos.base'; 171 172let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 173let tokenID: number = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 174let permissionFlags: number = 1; 175try { 176 atManager.grantUserGrantedPermission(tokenID, 'ohos.permission.READ_AUDIO', permissionFlags).then(() => { 177 console.log('grantUserGrantedPermission success'); 178 }).catch((err: BusinessError) => { 179 console.log(`grantUserGrantedPermission fail, err->${JSON.stringify(err)}`); 180 }); 181} catch(err) { 182 console.log(`catch err->${JSON.stringify(err)}`); 183} 184``` 185 186### grantUserGrantedPermission 187 188grantUserGrantedPermission(tokenID: number, permissionName: Permissions, permissionFlags: number, callback: AsyncCallback<void>): void 189 190Grants a user_grant permission to an application. This API uses an asynchronous callback to return the result. 191 192**System API**: This is a system API. 193 194**Required permissions**: ohos.permission.GRANT_SENSITIVE_PERMISSIONS (available only to system applications) 195 196**System capability**: SystemCapability.Security.AccessToken 197 198**Parameters** 199 200| Name | Type | Mandatory| Description | 201| --------- | ------------------- | ---- | ------------------------------------------------------------ | 202| tokenID | number | Yes | Application token ID, which can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md).| 203| permissionName | Permissions | Yes | Permission to grant. For details about the permissions, see [Permissions for All Applications](../../security/AccessToken/permissions-for-all.md).| 204| permissionFlags | number | Yes | Permission flag.<br>- **1**: A dialog box for user authorization will be displayed the next time if the user denies authorization for the permission.<br>- **2**: No dialog box will be displayed the next time if the user denies authorization for the permission. The permission must be granted by the user in **Settings**.<br>- **64**: The permission is granted to the user only this time. The authorization is revoked after the application switches to the background or exits.| 205| callback | AsyncCallback<void> | Yes| Grants a user_grant permission to an application. If the permission is granted, **err** is **undefined**. Otherwise, **err** is an error object.| 206 207**Error codes** 208 209For details about the error codes, see [Access Control Error Codes](../errorcodes/errorcode-access-token.md). 210 211| ID| Error Message| 212| -------- | -------- | 213| 12100001 | The parameter is invalid. The tokenID is 0, the permissionName exceeds 256 bytes, or the flags value is invalid.| 214| 12100002 | The specified tokenID does not exist. | 215| 12100003 | The specified permission does not exist. | 216| 12100006 | The application specified by the tokenID is not allowed to be granted with the specified permission. Either the application is a sandbox or the tokenID is from a remote device. | 217| 12100007 | Service is abnormal. | 218 219**Example** 220 221```ts 222import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 223import { BusinessError } from '@ohos.base'; 224 225let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 226let tokenID: number = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 227let permissionFlags: number = 1; 228try { 229 atManager.grantUserGrantedPermission(tokenID, 'ohos.permission.READ_AUDIO', permissionFlags, (err: BusinessError, data: void) => { 230 if (err) { 231 console.log(`grantUserGrantedPermission fail, err->${JSON.stringify(err)}`); 232 } else { 233 console.log('grantUserGrantedPermission success'); 234 } 235 }); 236} catch(err) { 237 console.log(`catch err->${JSON.stringify(err)}`); 238} 239``` 240 241### revokeUserGrantedPermission 242 243revokeUserGrantedPermission(tokenID: number, permissionName: Permissions, permissionFlags: number): Promise<void> 244 245Revokes a user_grant permission from an application. This API uses a promise to return the result. 246 247**System API**: This is a system API. 248 249**Required permissions**: ohos.permission.REVOKE_SENSITIVE_PERMISSIONS (available only to system applications) 250 251**System capability**: SystemCapability.Security.AccessToken 252 253**Parameters** 254 255| Name | Type | Mandatory| Description | 256| --------- | ------------------- | ---- | ------------------------------------------------------------ | 257| tokenID | number | Yes | Application token ID, which can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 258| permissionName | Permissions | Yes | Permission to revoke. For details about the permissions, see [Permissions for All Applications](../../security/AccessToken/permissions-for-all.md).| 259| permissionFlags | number | Yes | Permission flag.<br>- **1**: A dialog box for user authorization will be displayed the next time if the user denies authorization for the permission.<br>- **2**: No dialog box will be displayed the next time if the user denies authorization for the permission. The permission must be granted by the user in **Settings**.<br>- **64**: The permission is granted to the user only this time. The authorization is revoked after the application switches to the background or exits.| 260 261**Return value** 262 263| Type | Description | 264| :------------ | :---------------------------------- | 265| Promise<void> | Promise that returns no value.| 266 267**Error codes** 268 269For details about the error codes, see [Access Control Error Codes](../errorcodes/errorcode-access-token.md). 270 271| ID| Error Message| 272| -------- | -------- | 273| 12100001 | The parameter is invalid. The tokenID is 0, the permissionName exceeds 256 bytes, or the flags value is invalid.| 274| 12100002 | The specified tokenID does not exist. | 275| 12100003 | The specified permission does not exist. | 276| 12100006 | The application specified by the tokenID is not allowed to be revoked with the specified permission. Either the application is a sandbox or the tokenID is from a remote device. | 277| 12100007 | Service is abnormal. | 278 279**Example** 280 281```ts 282import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 283import { BusinessError } from '@ohos.base'; 284 285let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 286let tokenID: number = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 287let permissionFlags: number = 1; 288try { 289 atManager.revokeUserGrantedPermission(tokenID, 'ohos.permission.READ_AUDIO', permissionFlags).then(() => { 290 console.log('revokeUserGrantedPermission success'); 291 }).catch((err: BusinessError) => { 292 console.log(`revokeUserGrantedPermission fail, err->${JSON.stringify(err)}`); 293 }); 294} catch(err) { 295 console.log(`catch err->${JSON.stringify(err)}`); 296} 297``` 298 299### revokeUserGrantedPermission 300 301revokeUserGrantedPermission(tokenID: number, permissionName: Permissions, permissionFlags: number, callback: AsyncCallback<void>): void 302 303Revokes a user_grant permission from an application. This API uses an asynchronous callback to return the result. 304 305**System API**: This is a system API. 306 307**Required permissions**: ohos.permission.REVOKE_SENSITIVE_PERMISSIONS (available only to system applications) 308 309**System capability**: SystemCapability.Security.AccessToken 310 311**Parameters** 312 313| Name | Type | Mandatory| Description | 314| --------- | ------------------- | ---- | ------------------------------------------------------------ | 315| tokenID | number | Yes | Application token ID, which can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 316| permissionName | Permissions | Yes | Permission to revoke. For details about the permissions, see [Permissions for All Applications](../../security/AccessToken/permissions-for-all.md).| 317| permissionFlags | number | Yes | Permission flag.<br>- **1**: A dialog box for user authorization will be displayed the next time if the user denies authorization for the permission.<br>- **2**: No dialog box will be displayed the next time if the user denies authorization for the permission. The permission must be granted by the user in **Settings**.<br>- **64**: The permission is granted to the user only this time. The authorization is revoked after the application switches to the background or exits.| 318| callback | AsyncCallback<void> | Yes| Callback invoked to return the result. If the permission is revoked, **err** is **undefined**. Otherwise, **err** is an error object.| 319 320**Error codes** 321 322For details about the error codes, see [Access Control Error Codes](../errorcodes/errorcode-access-token.md). 323 324| ID| Error Message| 325| -------- | -------- | 326| 12100001 | The parameter is invalid. The tokenID is 0, the permissionName exceeds 256 bytes, or the flags value is invalid.| 327| 12100002 | The specified tokenID does not exist. | 328| 12100003 | The specified permission does not exist. | 329| 12100006 | The application specified by the tokenID is not allowed to be revoked with the specified permission. Either the application is a sandbox or the tokenID is from a remote device. | 330| 12100007 | Service is abnormal. | 331 332**Example** 333 334```ts 335import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 336import { BusinessError } from '@ohos.base'; 337 338let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 339let tokenID: number = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 340let permissionFlags: number = 1; 341try { 342 atManager.revokeUserGrantedPermission(tokenID, 'ohos.permission.READ_AUDIO', permissionFlags, (err: BusinessError, data: void) => { 343 if (err) { 344 console.log(`revokeUserGrantedPermission fail, err->${JSON.stringify(err)}`); 345 } else { 346 console.log('revokeUserGrantedPermission success'); 347 } 348 }); 349} catch(err) { 350 console.log(`catch err->${JSON.stringify(err)}`); 351} 352``` 353 354### getPermissionFlags 355 356getPermissionFlags(tokenID: number, permissionName: Permissions): Promise<number> 357 358Obtains the permission flag of an application. This API uses a promise to return the result. 359 360**System API**: This is a system API. 361 362**Required permissions**: ohos.permission.GET_SENSITIVE_PERMISSIONS, ohos.permission.GRANT_SENSITIVE_PERMISSIONS, or ohos.permission.REVOKE_SENSITIVE_PERMISSIONS (available only to system applications) 363 364**System capability**: SystemCapability.Security.AccessToken 365 366**Parameters** 367 368| Name | Type | Mandatory| Description | 369| --------- | ------------------- | ---- | ------------------------------------------------------------ | 370| tokenID | number | Yes | Application token ID, which can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 371| permissionName | Permissions | Yes | Permission whose flag is to be obtained. For details about the permissions, see [Permissions for All Applications](../../security/AccessToken/permissions-for-all.md).| 372 373**Return value** 374 375| Type | Description | 376| :------------ | :---------------------------------- | 377| Promise<number> | Promise used to return the permission flag obtained. | 378 379**Error codes** 380 381For details about the error codes, see [Access Control Error Codes](../errorcodes/errorcode-access-token.md). 382 383| ID| Error Message| 384| -------- | -------- | 385| 12100001 | The parameter is invalid. The tokenID is 0, or permissionName exceeds 256 bytes.| 386| 12100002 | The specified tokenID does not exist. | 387| 12100003 | The specified permission does not exist. | 388| 12100006 | The operation is not allowed. Either the application is a sandbox or the tokenID is from a remote device. | 389| 12100007 | Service is abnormal. | 390 391**Example** 392 393```ts 394import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 395import { BusinessError } from '@ohos.base'; 396 397let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 398let tokenID: number = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 399try { 400 atManager.getPermissionFlags(tokenID, 'ohos.permission.GRANT_SENSITIVE_PERMISSIONS').then((data: number) => { 401 console.log(`getPermissionFlags success, data->${JSON.stringify(data)}`); 402 }).catch((err: BusinessError) => { 403 console.log(`getPermissionFlags fail, err->${JSON.stringify(err)}`); 404 }); 405} catch(err) { 406 console.log(`catch err->${JSON.stringify(err)}`); 407} 408``` 409 410### getVersion<sup>9+</sup> 411 412getVersion(): Promise<number> 413 414Obtains the data version of the permission management. This API uses a promise to return the result. 415 416**System API**: This is a system API. 417 418**System capability**: SystemCapability.Security.AccessToken 419 420**Return value** 421 422| Type | Description | 423| :------------ | :---------------------------------- | 424| Promise<number> | Promise used to return the version obtained.| 425 426**Example** 427 428```ts 429import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 430 431let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 432let promise = atManager.getVersion(); 433promise.then((data: number) => { 434 console.log(`promise: data->${JSON.stringify(data)}`); 435}); 436``` 437 438### on<sup>9+</sup> 439 440on(type: 'permissionStateChange', tokenIDList: Array<number>, permissionList: Array<Permissions>, callback: Callback<PermissionStateChangeInfo>): void 441 442Subscribes to permission state changes of the specified applications and permissions. 443 444Multiple callbacks can be registered for the specified **tokenIDList** and **permissionList**. 445 446If **tokenIDList** and **permissionList** have common values with the **tokenIDList** and **permissionList** of a callback registered, **callback** must be different. 447 448**System API**: This is a system API. 449 450**Required permissions**: ohos.permission.GET_SENSITIVE_PERMISSIONS (available only to system applications) 451 452**System capability**: SystemCapability.Security.AccessToken 453 454**Parameters** 455 456| Name | Type | Mandatory| Description | 457| ------------------ | --------------------- | ---- | ------------------------------------------------------------ | 458| type | string | Yes | Event type. The value is **'permissionStateChange'**, which indicates the permission grant state changes. | 459| tokenIDList | Array<number> | Yes | List of application token IDs. If this parameter is left empty, this API subscribes to the permission grant state changes of all applications.| 460| permissionList | Array<Permissions> | Yes | List of permissions to be subscribed to. If this parameter is left empty, this API subscribes to state changes of all permissions. For details about the permissions, see [Permissions for All Applications](../../security/AccessToken/permissions-for-all.md).| 461| callback | Callback<[PermissionStateChangeInfo](#permissionstatechangeinfo9)> | Yes| Callback invoked to return the permission grant state change.| 462 463**Error codes** 464 465For details about the error codes, see [Access Control Error Codes](../errorcodes/errorcode-access-token.md). 466 467| ID| Error Message| 468| -------- | -------- | 469| 12100001 | The parameter is invalid. The tokenID is 0, or permissionName exceeds 256 bytes.| 470| 12100004 | The interface is called repeatedly with the same input. | 471| 12100005 | The registration time has exceeded the limitation. | 472| 12100007 | Service is abnormal. | 473| 12100008 | Out of memory. | 474 475**Example** 476 477```ts 478import abilityAccessCtrl, { Permissions } from '@ohos.abilityAccessCtrl'; 479import bundleManager from '@ohos.bundle.bundleManager'; 480 481let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 482let appInfo: bundleManager.ApplicationInfo = bundleManager.getApplicationInfoSync('com.example.myapplication', 0, 100); 483let tokenIDList: Array<number> = [appInfo.accessTokenId]; 484let permissionList: Array<Permissions> = ['ohos.permission.DISTRIBUTED_DATASYNC']; 485try { 486 atManager.on('permissionStateChange', tokenIDList, permissionList, (data: abilityAccessCtrl.PermissionStateChangeInfo) => { 487 console.debug('receive permission state change, data:' + JSON.stringify(data)); 488 }); 489} catch(err) { 490 console.log(`catch err->${JSON.stringify(err)}`); 491} 492``` 493 494### off<sup>9+</sup> 495 496off(type: 'permissionStateChange', tokenIDList: Array<number>, permissionList: Array<Permissions>, callback?: Callback<PermissionStateChangeInfo>): void 497 498Unsubscribes from permission grant state changes of the specified applications and permissions. This API uses a callback to return the result. 499 500If no callback is passed in **atManager.off**, all callbacks for **tokenIDList** and **permissionList** will be unregistered. 501 502**System API**: This is a system API. 503 504**Required permissions**: ohos.permission.GET_SENSITIVE_PERMISSIONS (available only to system applications) 505 506**System capability**: SystemCapability.Security.AccessToken 507 508**Parameters** 509 510| Name | Type | Mandatory| Description | 511| ------------------ | --------------------- | ---- | ------------------------------------------------------------ | 512| type | string | Yes | Event type. The value is **'permissionStateChange'**, which indicates the permission grant state changes. | 513| tokenIDList | Array<number> | Yes | List of application token IDs. The value must be the same as that passed in **on()**. If this parameter is left empty, this API unsubscribes from the permission grant state changes of all applications.| 514| permissionList | Array<Permissions> | Yes | List of permissions. The value must be the same as that of **on()**. If this parameter is left empty, this API unsubscribes from state changes of all permissions. For details about the permissions, see [Permissions for All Applications](../../security/AccessToken/permissions-for-all.md).| 515| callback | Callback<[PermissionStateChangeInfo](#permissionstatechangeinfo9)> | No| Callback for the permission grant state change.| 516 517**Error codes** 518 519For details about the error codes, see [Access Control Error Codes](../errorcodes/errorcode-access-token.md). 520 521| ID| Error Message| 522| -------- | -------- | 523| 12100001 | The parameter is invalid. The tokenIDs or permissionNames in the list are all invalid. | 524| 12100004 | The interface is not used together with 'on'. | 525| 12100007 | Service is abnormal. | 526| 12100008 | Out of memory. | 527 528**Example** 529 530```ts 531import abilityAccessCtrl, { Permissions } from '@ohos.abilityAccessCtrl'; 532import bundleManager from '@ohos.bundle.bundleManager'; 533 534let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 535let appInfo: bundleManager.ApplicationInfo = bundleManager.getApplicationInfoSync('com.example.myapplication', 0, 100); 536let tokenIDList: Array<number> = [appInfo.accessTokenId]; 537let permissionList: Array<Permissions> = ['ohos.permission.DISTRIBUTED_DATASYNC']; 538try { 539 atManager.off('permissionStateChange', tokenIDList, permissionList); 540} catch(err) { 541 console.log(`catch err->${JSON.stringify(err)}`); 542} 543``` 544 545### verifyAccessToken<sup>9+</sup> 546 547verifyAccessToken(tokenID: number, permissionName: Permissions): Promise<GrantStatus> 548 549Verifies whether a permission is granted to an application. This API uses a promise to return the result. 550 551> **NOTE** 552> 553> You are advised to use [checkAccessToken](#checkaccesstoken9). 554 555**System capability**: SystemCapability.Security.AccessToken 556 557**Parameters** 558 559| Name | Type | Mandatory| Description | 560| -------- | ------------------- | ---- | ------------------------------------------ | 561| tokenID | number | Yes | Application token ID, which can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 562| permissionName | Permissions | Yes | Permission to verify. For details about the permissions, see [Permissions for All Applications](../../security/AccessToken/permissions-for-all.md).| 563 564**Return value** 565 566| Type | Description | 567| :------------ | :---------------------------------- | 568| Promise<GrantStatus> | Promise used to return the permission grant state.| 569 570**Example** 571 572```ts 573import abilityAccessCtrl, { Permissions } from '@ohos.abilityAccessCtrl'; 574import { BusinessError } from '@ohos.base'; 575 576let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 577let tokenID: number = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 578let permissionName: Permissions = 'ohos.permission.GRANT_SENSITIVE_PERMISSIONS'; 579try { 580 atManager.verifyAccessToken(tokenID, permissionName).then((data: abilityAccessCtrl.GrantStatus) => { 581 console.log(`promise: data->${JSON.stringify(data)}`); 582 }).catch((err: BusinessError) => { 583 console.log(`verifyAccessToken fail, err->${JSON.stringify(err)}`); 584 }); 585}catch(err) { 586 console.log(`catch err->${JSON.stringify(err)}`); 587} 588``` 589 590### requestPermissionsFromUser<sup>9+</sup> 591 592requestPermissionsFromUser(context: Context, permissionList: Array<Permissions>, requestCallback: AsyncCallback<PermissionRequestResult>) : void 593 594Requests user authorization in a dialog box opened by a UIAbility. This API uses an asynchronous callback to return the result. 595> **NOTE** 596> 597> The API cannot be called by any non-UIAbility. 598 599**Model restriction**: This API can be used only in the stage model. 600 601**System capability**: SystemCapability.Security.AccessToken 602 603**Parameters** 604 605| Name| Type| Mandatory| Description| 606| -------- | -------- | -------- | -------- | 607| context | Context | Yes| Context of the UIAbility.| 608| permissionList | Array<Permissions> | Yes| Permissions requested. For details about the permissions, see [Permissions for All Applications](../../security/AccessToken/permissions-for-all.md).| 609| requestCallback | AsyncCallback<[PermissionRequestResult](js-apis-permissionrequestresult.md)> | Yes| Callback invoked to return the result.| 610 611**Error codes** 612 613For details about the error codes, see [Access Control Error Codes](../errorcodes/errorcode-access-token.md). 614 615| ID| Error Message| 616| -------- | -------- | 617| 12100001 | The parameter is invalid. The context is invalid when it does not belong to the application itself. | 618 619**Example** 620For details about how to obtain the context in the example, see [Obtaining the Context of UIAbility](../../application-models/uiability-usage.md#obtaining-the-context-of-uiability). 621 622```ts 623import abilityAccessCtrl, { Context, PermissionRequestResult } from '@ohos.abilityAccessCtrl'; 624import { BusinessError } from '@ohos.base'; 625import common from '@ohos.app.ability.common'; 626 627let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 628try { 629 let context: Context = getContext(this) as common.UIAbilityContext; 630 atManager.requestPermissionsFromUser(context, ['ohos.permission.CAMERA'], (err: BusinessError, data: PermissionRequestResult)=>{ 631 console.info('data:' + JSON.stringify(data)); 632 console.info('data permissions:' + data.permissions); 633 console.info('data authResults:' + data.authResults); 634 }); 635} catch(err) { 636 console.log(`catch err->${JSON.stringify(err)}`); 637} 638``` 639 640### requestPermissionsFromUser<sup>9+</sup> 641 642requestPermissionsFromUser(context: Context, permissionList: Array<Permissions>) : Promise<PermissionRequestResult> 643 644Requests user authorization in a dialog box opened by a UIAbility. This API uses a promise to return the result. 645 646> **NOTE** 647> 648> The API cannot be called by any non-UIAbility. 649 650**Model restriction**: This API can be used only in the stage model. 651 652**System capability**: SystemCapability.Security.AccessToken 653 654**Parameters** 655 656| Name| Type| Mandatory| Description| 657| -------- | -------- | -------- | -------- | 658| context | Context | Yes| Context of the UIAbility.| 659| permissionList | Array<Permissions> | Yes| Permissions requested. For details about the permissions, see [Permissions for All Applications](../../security/AccessToken/permissions-for-all.md).| 660 661**Return value** 662 663| Type| Description| 664| -------- | -------- | 665| Promise<[PermissionRequestResult](js-apis-permissionrequestresult.md)> | Promise used to return the result.| 666 667**Error codes** 668 669For details about the error codes, see [Access Control Error Codes](../errorcodes/errorcode-access-token.md). 670 671| ID| Error Message| 672| -------- | -------- | 673| 12100001 | The parameter is invalid. The context is invalid when it does not belong to the application itself. | 674 675**Example** 676For details about how to obtain the context in the example, see [Obtaining the Context of UIAbility](../../application-models/uiability-usage.md#obtaining-the-context-of-uiability). 677 678```ts 679import abilityAccessCtrl, { Context, PermissionRequestResult } from '@ohos.abilityAccessCtrl'; 680import { BusinessError } from '@ohos.base'; 681import common from '@ohos.app.ability.common'; 682 683let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 684try { 685 let context: Context = getContext(this) as common.UIAbilityContext; 686 atManager.requestPermissionsFromUser(context, ['ohos.permission.CAMERA']).then((data: PermissionRequestResult) => { 687 console.info('data:' + JSON.stringify(data)); 688 console.info('data permissions:' + data.permissions); 689 console.info('data authResults:' + data.authResults); 690 }).catch((err: BusinessError) => { 691 console.info('data:' + JSON.stringify(err)); 692 }) 693} catch(err) { 694 console.log(`catch err->${JSON.stringify(err)}`); 695} 696``` 697 698### verifyAccessToken<sup>(deprecated)</sup> 699 700verifyAccessToken(tokenID: number, permissionName: string): Promise<GrantStatus> 701 702Verifies whether a permission is granted to an application. This API uses a promise to return the result. 703 704> **NOTE** 705> 706> This API is no longer maintained since API version 9. You are advised to use [checkAccessToken](#checkaccesstoken9). 707 708**System capability**: SystemCapability.Security.AccessToken 709 710**Parameters** 711 712| Name | Type | Mandatory| Description | 713| -------- | ------------------- | ---- | ------------------------------------------ | 714| tokenID | number | Yes | Application token ID, which can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 715| permissionName | string | Yes | Permission to verify. For details about the permissions, see [Permissions for All Applications](../../security/AccessToken/permissions-for-all.md).| 716 717**Return value** 718 719| Type | Description | 720| :------------ | :---------------------------------- | 721| Promise<GrantStatus> | Promise used to return the permission grant state.| 722 723**Example** 724 725```ts 726import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 727import { BusinessError } from '@ohos.base'; 728 729let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 730let tokenID: number = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 731try { 732 atManager.verifyAccessToken(tokenID, 'ohos.permission.GRANT_SENSITIVE_PERMISSIONS').then((data: abilityAccessCtrl.GrantStatus) => { 733 console.log(`promise: data->${JSON.stringify(data)}`); 734 }).catch((err: BusinessError) => { 735 console.log(`verifyAccessToken fail, err->${JSON.stringify(err)}`); 736 }); 737}catch(err) { 738 console.log(`catch err->${JSON.stringify(err)}`); 739} 740``` 741 742### checkAccessTokenSync<sup>10+</sup> 743 744checkAccessTokenSync(tokenID: number, permissionName: Permissions): GrantStatus 745 746Checks whether a permission is granted to an application. This API returns the result synchronously. 747 748**System capability**: SystemCapability.Security.AccessToken 749 750**Parameters** 751 752| Name | Type | Mandatory| Description | 753| -------- | ------------------- | ---- | ------------------------------------------ | 754| tokenID | number | Yes | Application token ID, which can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 755| permissionName | Permissions | Yes | Permission to check. For details about the permissions, see [Permissions for All Applications](../../security/AccessToken/permissions-for-all.md).| 756 757**Return value** 758 759| Type | Description | 760| :------------ | :---------------------------------- | 761| [GrantStatus](#grantstatus) | Permission grant state.| 762 763**Error codes** 764 765For details about the error codes, see [Access Control Error Codes](../errorcodes/errorcode-access-token.md). 766 767| ID| Error Message| 768| -------- | -------- | 769| 12100001 | The parameter is invalid. The tokenID is 0, or permissionName exceeds 256 bytes.| 770 771**Example** 772 773```ts 774import abilityAccessCtrl, { Permissions } from '@ohos.abilityAccessCtrl'; 775 776let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 777let tokenID: number = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 778let permissionName: Permissions = 'ohos.permission.GRANT_SENSITIVE_PERMISSIONS'; 779let data: abilityAccessCtrl.GrantStatus = atManager.checkAccessTokenSync(tokenID, permissionName); 780console.log(`data->${JSON.stringify(data)}`); 781``` 782 783### GrantStatus 784 785Enumerates the permission grant states. 786 787**System capability**: SystemCapability.Security.AccessToken 788 789| Name | Value| Description | 790| ------------------ | ----- | ----------- | 791| PERMISSION_DENIED | -1 | Permission denied.| 792| PERMISSION_GRANTED | 0 | Permission granted.| 793 794### PermissionStateChangeType<sup>9+</sup> 795 796Enumerates the operations that trigger permission grant state changes. 797 798**System API**: This is a system API. 799 800**System capability**: SystemCapability.Security.AccessToken 801 802| Name | Value| Description | 803| ----------------------- | ------ | ----------------- | 804| PERMISSION_REVOKED_OPER | 0 | Operation to revoke the permission.| 805| PERMISSION_GRANTED_OPER | 1 | Operation to grant the permission.| 806 807### PermissionStateChangeInfo<sup>9+</sup> 808 809Defines detailed information about the permission grant state change. 810 811**System API**: This is a system API. 812 813**System capability**: SystemCapability.Security.AccessToken 814 815| Name | Type | Readable| Writable| Description | 816| -------------- | ------------------------- | ---- | ---- | ------------------ | 817| change | [PermissionStateChangeType](#permissionstatechangetype9) | Yes | No | Operation that triggers the permission grant state change. | 818| tokenID | number | Yes | No | Application token ID.| 819| permissionName | Permissions | Yes | No | Permission whose grant state changes. For details about the permissions, see the [Permissions for All Applications](../../security/AccessToken/permissions-for-all.md). | 820