1# Restricted Permissions 2 3## How to Request 4 5<!--RP1--> 6 7Restricted permissions are permissions available to normal applications but must be requested via [access control list (ACL)](app-permission-mgmt-overview.md#basic-concepts-in-the-permission-mechanism). 8 9To change the APL of a normal application to system_basic or system_core, modify the HarmonyAppProvision file (**Toolchains / _{Version} _/ lib / UnsgnedReleasedProfileTemplate.json** file in the SDK directory) of the application when developing the application installation package, and sign the application again. 10 11**Modification mode**: 12 13Modify the **"bundle-info"** > **"apl"** field in the file. 14 15```json 16"bundle-info" : { 17 // ... 18 "apl": "system_basic", 19 // ... 20}, 21``` 22 23> **NOTE** 24> 25> Modifying the HarmonyAppProvision configuration file applies to the applications in the debug phase, but not to the applications released to the app market. For a commercial application, apply for a release certificate and profile in the app market. 26 27<!--RP1End--> 28 29## Restricted Permissions 30 31### ohos.permission.kernel.DISABLE_GOTPLT_RO_PROTECTION 32 33Allows an application to disable the read-only protection on the .got.plt. 34 35<!--RP22--><!--RP22End--> 36 37**Permission level**: system_basic 38 39**Authorization mode**: system_grant 40 41**Valid since**: 17 42 43### ohos.permission.SYSTEM_FLOAT_WINDOW 44 45Allows an application to be displayed in a floating window on top of other applications. 46 47<!--RP25--><!--RP25End--> 48 49**Permission level**: system_basic 50 51**Authorization mode**: system_grant 52 53**Valid since**: 7 54 55### ohos.permission.READ_CONTACTS 56 57Allows an application to read **Contacts**. 58 59<!--RP33--><!--RP33End--> 60 61**Permission level**: system_basic 62 63**Authorization mode**: user_grant 64 65**Valid since**: 8 66 67### ohos.permission.WRITE_CONTACTS 68 69Allows an application to add, remove, and modify **Contacts**. 70 71<!--RP34--><!--RP34End--> 72 73**Permission level**: system_basic 74 75**Authorization mode**: user_grant 76 77**Valid since**: 8 78 79### ohos.permission.READ_AUDIO 80 81Allows an application to access the audio files in a user directory. 82 83<!--RP26--><!--RP26End--> 84 85**Permission level**: system_basic 86 87**Authorization mode**: user_grant 88 89**Valid since**: 9 90 91### ohos.permission.WRITE_AUDIO 92 93Allows an application to modify the audio files in a user directory. 94 95<!--RP28--><!--RP28End--> 96 97**Permission level**: system_basic 98 99**Authorization mode**: user_grant 100 101**Valid since**: 9 102 103### ohos.permission.READ_IMAGEVIDEO 104 105Allows an application to access the images/videos in a user directory. 106 107<!--RP27--><!--RP27End--> 108 109**Permission level**: system_basic 110 111**Authorization mode**: user_grant 112 113**Valid since**: 9 114 115### ohos.permission.WRITE_IMAGEVIDEO 116 117Allows an application to modify the images/videos in a user directory. 118 119<!--RP29--><!--RP29End--> 120 121**Permission level**: system_basic 122 123**Authorization mode**: user_grant 124 125**Valid since**: 9 126 127<!--Del--> 128### ohos.permission.WRITE_DOCUMENT 129 130Allows an application to modify the documents in a user directory. 131 132**Permission level**: system_basic 133 134**Authorization mode**: user_grant 135 136**Valid since**: 9 137 138**Deprecated from**: 12 139 140**Alternative solution**: 141 142See the [alternative solution of the **Files** permission group](app-permission-group-list.md#filesdeprecated). 143 144### ohos.permission.READ_DOCUMENT 145 146Allows an application to access the documents in a user directory. 147 148**Permission level**: system_basic 149 150**Authorization mode**: user_grant 151 152**Valid since**: 9 153 154**Deprecated from**: 12 155 156**Alternative solution**: 157 158See the [alternative solution of the **Files** permission group](app-permission-group-list.md#filesdeprecated). 159<!--DelEnd--> 160 161### ohos.permission.READ_WRITE_DESKTOP_DIRECTORY 162 163Allows an application to access the **Desktop** directory and its subdirectories in the user directory. 164 165<!--RP15--> 166Currently, this permission is available only to 2-in-1 device applications. 167<!--RP15End--> 168 169**Permission level**: system_basic 170 171**Authorization mode**: user_grant 172 173**Valid since**: 11 174 175### ohos.permission.ACCESS_DDK_USB 176 177Allows extended peripheral drivers to access the USB DDK interfaces to implement development of USB extended peripheral drivers. 178 179<!--RP31--><!--RP31End--> 180 181**Permission level**: system_basic 182 183**Authorization mode**: system_grant 184 185**Valid since**: 11 186 187### ohos.permission.ACCESS_DDK_HID 188 189Allows extended peripheral drivers to access the HID DDK interfaces to implement development of HID extended peripheral drivers. 190 191<!--RP30--><!--RP30End--> 192 193**Permission level**: system_basic 194 195**Authorization mode**: system_grant 196 197**Valid since**: 11 198 199### ohos.permission.READ_PASTEBOARD 200 201Allows an application to read **Pasteboard** data. 202 203<!--RP32--><!--RP32End--> 204 205**Permission level**: system_basic 206 207**Authorization mode**: user_grant 208 209**Valid since**: 11 210 211### ohos.permission.FILE_ACCESS_PERSIST 212 213Allows an application to support persistent access to file URIs. 214 215<!--RP18--><!--RP18End--> 216 217**Permission level**: normal 218 219**Authorization mode**: system_grant 220 221**Valid since**: 11 222 223**Changelog**: The permission level is system_basic in API version 11, and is changed to normal since API version 12. 224 225### ohos.permission.INTERCEPT_INPUT_EVENT 226 227Allows an application to intercept input events. 228 229<!--RP24--><!--RP24End--> 230 231**Permission level**: system_basic 232 233**Authorization mode**: system_grant 234 235**Valid since**: 11 236 237**Changelog**: The permission level is system_core in API version 11, and is changed to system_basic since API version 12. 238 239### ohos.permission.INPUT_MONITORING 240 241Allows an application to listen for input events. 242 243<!--RP23--><!--RP23End--> 244 245**Permission level**: system_basic 246 247**Authorization mode**: system_grant 248 249**Valid since**: 7 250 251**Changelog**: The permission level is system_core in API versions 7 to 11, and is changed to system_basic since API version 12. 252 253### ohos.permission.SHORT_TERM_WRITE_IMAGEVIDEO 254 255Allows an application to save images and videos to the user's directory within 256 257up to 30 minutes after obtaining the permission. If it exceeds 30 minutes, a dialog box will be displayed again to request user authorization. 258 259<!--RP21--><!--RP21End--> 260 261**Permission level**: system_basic 262 263**Authorization mode**: user_grant 264 265**Valid since**: 12 266 267### ohos.permission.READ_WRITE_USER_FILE 268 269Allows an application to access and modify files in user directories. 270 271<!--RP19--> 272Currently, this permission is available only to 2-in-1 device applications. 273<!--RP19End--> 274 275**Permission level**: system_basic 276 277**Authorization mode**: system_grant 278 279**Valid since**: 13 280 281### ohos.permission.READ_WRITE_USB_DEV 282 283Allows an application to connect to a device and read and write the device data via USB for debugging purposes. 284 285<!--RP20--> 286Currently, this permission is available only to 2-in-1 device applications. 287<!--RP20End--> 288 289**Permission level**: system_basic 290 291**Authorization mode**: system_grant 292 293**Valid since**: 13 294 295### ohos.permission.GET_WIFI_PEERS_MAC 296 297Allows an application to obtain the MAC address of the peer Wi-Fi device. 298 299This permission is required if you want to obtain the MAC address of the peer device when obtaining the Wi-Fi scanning result. 300 301<!--RP14--><!--RP14End--> 302 303**Permission level**: system_basic 304 305**Authorization mode**: system_grant 306 307**Valid since**: 8 308 309**Changelog**: The permission level is system_core in API versions 8 to 13, and is changed to system_basic since API version 14. 310 311### ohos.permission.kernel.DISABLE_CODE_MEMORY_PROTECTION 312 313Allows an application to disable its runtime code integrity protection. 314 315<!--RP11--> 316For the application developed using the cross-platform framework, this permission allows the application to disable its runtime code integrity protection. Currently, this permission is available only to applications running on tablets and 2-in-1 devices. 317<!--RP11End--> 318 319**Permission level**: system_basic 320 321**Authorization mode**: system_grant 322 323**Valid since**: 14 324 325### ohos.permission.kernel.ALLOW_WRITABLE_CODE_MEMORY 326 327Allows an application to apply for writable and executable anonymous memory. 328 329<!--RP10--> 330For the application developed using the cross-platform framework, this permission allows the application to apply for writable and executable anonymous memory. Currently, this permission is available only to applications running on tablets and 2-in-1 devices. 331<!--RP10End--> 332 333**Permission level**: system_basic 334 335**Authorization mode**: system_grant 336 337**Valid since**: 14 338 339### ohos.permission.kernel.ALLOW_EXECUTABLE_FORT_MEMORY 340 341Allows an application to have its system JS engine to apply for anonymous executable memory with the MAP_FORT identifier. 342 343After the application has this permission, the system JS engine can request anonymous executable memory with MAP_FORT for just-in-time (JIT) compilation, which increase the runtime execution efficiency. 344 345<!--RP13--><!--RP13End--> 346 347**Permission level**: system_basic 348 349**Authorization mode**: system_grant 350 351**Valid since**: 14 352 353### ohos.permission.MANAGE_PASTEBOARD_APP_SHARE_OPTION 354 355Allows an application to set or remove the pasteable range of pasteboard data. 356 357<!--RP16--><!--RP16End--> 358 359**Permission level**: system_basic 360 361**Authorization mode**: system_grant 362 363**Valid since**: 14 364 365### ohos.permission.MANAGE_UDMF_APP_SHARE_OPTION 366 367Allows an application to set or remove the sharing range of the data supported by the UDMF. 368 369<!--RP17--><!--RP17End--> 370 371**Permission level**: system_basic 372 373**Authorization mode**: system_grant 374 375**Valid since**: 14 376 377### ohos.permission.ACCESS_DISK_PHY_INFO 378 379Allows an application to obtain the disk hardware information. 380 381<!--RP3--><!--RP3End--> 382 383**Permission level**: system_basic 384 385**Authorization mode**: system_grant 386 387**Valid since**: 15 388 389### ohos.permission.PRELOAD_FILE 390 391Allows an application to preload files to improve the file opening speed. 392 393<!--RP9--><!--RP9End--> 394 395**Permission level**: system_basic 396 397**Authorization mode**: system_grant 398 399**Valid since**: 15 400 401### ohos.permission.SET_PAC_URL 402 403Allows an application to set the URL of the proxy auto config (PAC) script. 404 405After the script address is configured, other applications can read and parse this script and determine whether to use a proxy based on the parsing result. 406 407<!--RP4--><!--RP4End--> 408 409**Permission level**: system_basic 410 411**Authorization mode**: system_grant 412 413**Valid since**: 15 414 415### ohos.permission.PERSONAL_MANAGE_RESTRICTIONS 416 417Allows a device administrator application to manage personal device restrictions. 418 419<!--RP7--><!--RP7End--> 420 421**Permission level**: system_basic 422 423**Authorization mode**: system_grant 424 425**Valid since**: 15 426 427### ohos.permission.START_PROVISIONING_MESSAGE 428 429Allows an application to start the device management service deployment process, which activates the application as a personal device administrator application. 430 431<!--RP8--><!--RP8End--> 432 433**Permission level**: system_basic 434 435**Authorization mode**: system_grant 436 437**Valid since**: 15 438 439### ohos.permission.USE_FRAUD_CALL_LOG_PICKER 440 441Allows an application to use the fraud call log Picker to obtain call logs. 442 443<!--RP5--><!--RP5End--> 444 445**Permission level**: system_basic 446 447**Authorization mode**: system_grant 448 449**Valid since**: 15 450 451### ohos.permission.USE_FRAUD_MESSAGES_PICKER 452 453Allows an application to use the fraud message Picker to obtain SMS messages. 454 455<!--RP6--><!--RP6End--> 456 457**Permission level**: system_basic 458 459**Authorization mode**: system_grant 460 461**Valid since**: 15 462 463### ohos.permission.PERSISTENT_BLUETOOTH_PEERS_MAC 464 465Allows an application to persist the virtual random address corresponding to the MAC address of the peer Bluetooth device. 466 467With this permission, the application can persist the virtual random address of the peer Bluetooth device obtained via BLE scanning, BR scanning, or listening for connections. The persistent virtual random address can still be used even if Bluetooth is enabled or disabled, or the Bluetooth device is restarted. 468 469<!--RP36--><!--RP36End--> 470 471**Permission level**: system_basic 472 473**Authorization mode**: system_grant 474 475**Valid since**: 16 476 477### ohos.permission.ACCESS_VIRTUAL_SCREEN 478 479Allows an application to manage virtual screens. 480 481With this permission, the application can call APIs to perform virtual screen management, including creating, using, and destroying a virtual screen. 482 483<!--RP37--><!--RP37End--> 484 485**Permission level**: system_basic 486 487**Authorization mode**: system_grant 488 489**Valid since**: 16 490 491### ohos.permission.USE_FRAUD_APP_PICKER 492 493Allows an application to use the fraud app Picker to obtain application information. 494 495<!--RP2--><!--RP2End--> 496 497**Permission level**: system_basic 498 499**Authorization mode**: system_grant 500 501**Valid since**: 18 502 503### ohos.permission.kernel.SUPPORT_PLUGIN 504 505Allows an application to install plugins. 506 507<!--RP35--><!--RP35End--> 508 509**Permission level**: system_basic 510 511**Authorization mode**: system_grant 512 513**Valid since**: 18 514 515### ohos.permission.MANAGE_APN_SETTING 516 517Allows an application to read or set APN information. 518 519This permission is required for the applications that need to use private network APN information. 520 521<!--RP38--><!--RP38End--> 522 523**Permission level**: system_basic 524 525**Authorization mode**: system_grant 526 527**Valid since**: 16 528 529