# Restricted Permissions ## How to Request Restricted permissions are permissions available to normal applications but must be requested via [access control list (ACL)](app-permission-mgmt-overview.md#basic-concepts-in-the-permission-mechanism). To change the APL of a normal application to system_basic or system_core, modify the HarmonyAppProvision file (**Toolchains / _{Version} _/ lib / UnsgnedReleasedProfileTemplate.json** file in the SDK directory) of the application when developing the application installation package, and sign the application again. **Modification mode**: Modify the **"bundle-info"** > **"apl"** field in the file. ```json "bundle-info" : { // ... "apl": "system_basic", // ... }, ``` > **NOTE** > > Modifying the HarmonyAppProvision configuration file applies to the applications in the debug phase, but not to the applications released to the app market. For a commercial application, apply for a release certificate and profile in the app market. ## Restricted Permissions ### ohos.permission.kernel.DISABLE_GOTPLT_RO_PROTECTION Allows an application to disable the read-only protection on the .got.plt. **Permission level**: system_basic **Authorization mode**: system_grant **Valid since**: 17 ### ohos.permission.SYSTEM_FLOAT_WINDOW Allows an application to be displayed in a floating window on top of other applications. **Permission level**: system_basic **Authorization mode**: system_grant **Valid since**: 7 ### ohos.permission.READ_CONTACTS Allows an application to read **Contacts**. **Permission level**: system_basic **Authorization mode**: user_grant **Valid since**: 8 ### ohos.permission.WRITE_CONTACTS Allows an application to add, remove, and modify **Contacts**. **Permission level**: system_basic **Authorization mode**: user_grant **Valid since**: 8 ### ohos.permission.READ_AUDIO Allows an application to access the audio files in a user directory. **Permission level**: system_basic **Authorization mode**: user_grant **Valid since**: 9 ### ohos.permission.WRITE_AUDIO Allows an application to modify the audio files in a user directory. **Permission level**: system_basic **Authorization mode**: user_grant **Valid since**: 9 ### ohos.permission.READ_IMAGEVIDEO Allows an application to access the images/videos in a user directory. **Permission level**: system_basic **Authorization mode**: user_grant **Valid since**: 9 ### ohos.permission.WRITE_IMAGEVIDEO Allows an application to modify the images/videos in a user directory. **Permission level**: system_basic **Authorization mode**: user_grant **Valid since**: 9 ### ohos.permission.WRITE_DOCUMENT Allows an application to modify the documents in a user directory. **Permission level**: system_basic **Authorization mode**: user_grant **Valid since**: 9 **Deprecated from**: 12 **Alternative solution**: See the [alternative solution of the **Files** permission group](app-permission-group-list.md#filesdeprecated). ### ohos.permission.READ_DOCUMENT Allows an application to access the documents in a user directory. **Permission level**: system_basic **Authorization mode**: user_grant **Valid since**: 9 **Deprecated from**: 12 **Alternative solution**: See the [alternative solution of the **Files** permission group](app-permission-group-list.md#filesdeprecated). ### ohos.permission.READ_WRITE_DESKTOP_DIRECTORY Allows an application to access the **Desktop** directory and its subdirectories in the user directory. Currently, this permission is available only to 2-in-1 device applications. **Permission level**: system_basic **Authorization mode**: user_grant **Valid since**: 11 ### ohos.permission.ACCESS_DDK_USB Allows extended peripheral drivers to access the USB DDK interfaces to implement development of USB extended peripheral drivers. **Permission level**: system_basic **Authorization mode**: system_grant **Valid since**: 11 ### ohos.permission.ACCESS_DDK_HID Allows extended peripheral drivers to access the HID DDK interfaces to implement development of HID extended peripheral drivers. **Permission level**: system_basic **Authorization mode**: system_grant **Valid since**: 11 ### ohos.permission.READ_PASTEBOARD Allows an application to read **Pasteboard** data. **Permission level**: system_basic **Authorization mode**: user_grant **Valid since**: 11 ### ohos.permission.FILE_ACCESS_PERSIST Allows an application to support persistent access to file URIs. **Permission level**: normal **Authorization mode**: system_grant **Valid since**: 11 **Changelog**: The permission level is system_basic in API version 11, and is changed to normal since API version 12. ### ohos.permission.INTERCEPT_INPUT_EVENT Allows an application to intercept input events. **Permission level**: system_basic **Authorization mode**: system_grant **Valid since**: 11 **Changelog**: The permission level is system_core in API version 11, and is changed to system_basic since API version 12. ### ohos.permission.INPUT_MONITORING Allows an application to listen for input events. **Permission level**: system_basic **Authorization mode**: system_grant **Valid since**: 7 **Changelog**: The permission level is system_core in API versions 7 to 11, and is changed to system_basic since API version 12. ### ohos.permission.SHORT_TERM_WRITE_IMAGEVIDEO Allows an application to save images and videos to the user's directory within up to 30 minutes after obtaining the permission. If it exceeds 30 minutes, a dialog box will be displayed again to request user authorization. **Permission level**: system_basic **Authorization mode**: user_grant **Valid since**: 12 ### ohos.permission.READ_WRITE_USER_FILE Allows an application to access and modify files in user directories. Currently, this permission is available only to 2-in-1 device applications. **Permission level**: system_basic **Authorization mode**: system_grant **Valid since**: 13 ### ohos.permission.READ_WRITE_USB_DEV Allows an application to connect to a device and read and write the device data via USB for debugging purposes. Currently, this permission is available only to 2-in-1 device applications. **Permission level**: system_basic **Authorization mode**: system_grant **Valid since**: 13 ### ohos.permission.GET_WIFI_PEERS_MAC Allows an application to obtain the MAC address of the peer Wi-Fi device. This permission is required if you want to obtain the MAC address of the peer device when obtaining the Wi-Fi scanning result. **Permission level**: system_basic **Authorization mode**: system_grant **Valid since**: 8 **Changelog**: The permission level is system_core in API versions 8 to 13, and is changed to system_basic since API version 14. ### ohos.permission.kernel.DISABLE_CODE_MEMORY_PROTECTION Allows an application to disable its runtime code integrity protection. For the application developed using the cross-platform framework, this permission allows the application to disable its runtime code integrity protection. Currently, this permission is available only to applications running on tablets and 2-in-1 devices. **Permission level**: system_basic **Authorization mode**: system_grant **Valid since**: 14 ### ohos.permission.kernel.ALLOW_WRITABLE_CODE_MEMORY Allows an application to apply for writable and executable anonymous memory. For the application developed using the cross-platform framework, this permission allows the application to apply for writable and executable anonymous memory. Currently, this permission is available only to applications running on tablets and 2-in-1 devices. **Permission level**: system_basic **Authorization mode**: system_grant **Valid since**: 14 ### ohos.permission.kernel.ALLOW_EXECUTABLE_FORT_MEMORY Allows an application to have its system JS engine to apply for anonymous executable memory with the MAP_FORT identifier. After the application has this permission, the system JS engine can request anonymous executable memory with MAP_FORT for just-in-time (JIT) compilation, which increase the runtime execution efficiency. **Permission level**: system_basic **Authorization mode**: system_grant **Valid since**: 14 ### ohos.permission.MANAGE_PASTEBOARD_APP_SHARE_OPTION Allows an application to set or remove the pasteable range of pasteboard data. **Permission level**: system_basic **Authorization mode**: system_grant **Valid since**: 14 ### ohos.permission.MANAGE_UDMF_APP_SHARE_OPTION Allows an application to set or remove the sharing range of the data supported by the UDMF. **Permission level**: system_basic **Authorization mode**: system_grant **Valid since**: 14 ### ohos.permission.ACCESS_DISK_PHY_INFO Allows an application to obtain the disk hardware information. **Permission level**: system_basic **Authorization mode**: system_grant **Valid since**: 15 ### ohos.permission.PRELOAD_FILE Allows an application to preload files to improve the file opening speed. **Permission level**: system_basic **Authorization mode**: system_grant **Valid since**: 15 ### ohos.permission.SET_PAC_URL Allows an application to set the URL of the proxy auto config (PAC) script. After the script address is configured, other applications can read and parse this script and determine whether to use a proxy based on the parsing result. **Permission level**: system_basic **Authorization mode**: system_grant **Valid since**: 15 ### ohos.permission.PERSONAL_MANAGE_RESTRICTIONS Allows a device administrator application to manage personal device restrictions. **Permission level**: system_basic **Authorization mode**: system_grant **Valid since**: 15 ### ohos.permission.START_PROVISIONING_MESSAGE Allows an application to start the device management service deployment process, which activates the application as a personal device administrator application. **Permission level**: system_basic **Authorization mode**: system_grant **Valid since**: 15 ### ohos.permission.USE_FRAUD_CALL_LOG_PICKER Allows an application to use the fraud call log Picker to obtain call logs. **Permission level**: system_basic **Authorization mode**: system_grant **Valid since**: 15 ### ohos.permission.USE_FRAUD_MESSAGES_PICKER Allows an application to use the fraud message Picker to obtain SMS messages. **Permission level**: system_basic **Authorization mode**: system_grant **Valid since**: 15 ### ohos.permission.PERSISTENT_BLUETOOTH_PEERS_MAC Allows an application to persist the virtual random address corresponding to the MAC address of the peer Bluetooth device. With this permission, the application can persist the virtual random address of the peer Bluetooth device obtained via BLE scanning, BR scanning, or listening for connections. The persistent virtual random address can still be used even if Bluetooth is enabled or disabled, or the Bluetooth device is restarted. **Permission level**: system_basic **Authorization mode**: system_grant **Valid since**: 16 ### ohos.permission.ACCESS_VIRTUAL_SCREEN Allows an application to manage virtual screens. With this permission, the application can call APIs to perform virtual screen management, including creating, using, and destroying a virtual screen. **Permission level**: system_basic **Authorization mode**: system_grant **Valid since**: 16 ### ohos.permission.USE_FRAUD_APP_PICKER Allows an application to use the fraud app Picker to obtain application information. **Permission level**: system_basic **Authorization mode**: system_grant **Valid since**: 18 ### ohos.permission.kernel.SUPPORT_PLUGIN Allows an application to install plugins. **Permission level**: system_basic **Authorization mode**: system_grant **Valid since**: 18 ### ohos.permission.MANAGE_APN_SETTING Allows an application to read or set APN information. This permission is required for the applications that need to use private network APN information. **Permission level**: system_basic **Authorization mode**: system_grant **Valid since**: 16