# Restricted Permissions ## How to Request Restricted permissions are permissions available to normal applications but must be requested via [access control list (ACL)](app-permission-mgmt-overview.md#basic-concepts-in-the-permission-mechanism). To change the APL of a normal application to system_basic or system_core, modify the HarmonyAppProvision file (**Toolchains / _{Version} _/ lib / UnsgnedReleasedProfileTemplate.json** file in the SDK directory) of the application when developing the application installation package, and sign the application again. **Modification mode**: Modify the **"bundle-info"** > **"apl"** field in the file. ```json "bundle-info" : { // ... "apl": "system_basic", // ... }, ``` > **NOTE** > Modifying the HarmonyAppProvision configuration file applies to the applications in the debug phase, but not to the applications released to the app market. For a commercial application, apply for a release certificate and profile in the app market. ## ohos.permission.SYSTEM_FLOAT_WINDOW Allows an application to be displayed in a floating window on top of other applications. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 7 ## ohos.permission.READ_CONTACTS Allows an application to read **Contacts**. **Permission level**: system_basic **Authorization mode**: user_grant **Since**: 8 ## ohos.permission.WRITE_CONTACTS Allows an application to add, remove, and modify **Contacts**. **Permission level**: system_basic **Authorization mode**: user_grant **Since**: 8 ## ohos.permission.READ_AUDIO Allows an application to access the audio files in a user directory. **Permission level**: system_basic **Authorization mode**: user_grant **Since**: 9 ## ohos.permission.WRITE_AUDIO Allows an application to modify the audio files in a user directory. **Permission level**: system_basic **Authorization mode**: user_grant **Since**: 9 ## ohos.permission.READ_IMAGEVIDEO Allows an application to access the images/videos in a user directory. **Permission level**: system_basic **Authorization mode**: user_grant **Since**: 9 ## ohos.permission.WRITE_IMAGEVIDEO Allows an application to modify the images/videos in a user directory. **Permission level**: system_basic **Authorization mode**: user_grant **Since**: 9 ## ohos.permission.WRITE_DOCUMENT Allows an application to modify the documents in a user directory. **Permission level**: system_basic **Authorization mode**: user_grant **Since**: 9 **Deprecated from**: 12 **Alternative solution**: See the [alternative solution of the **Files** permission group](app-permission-group-list.md#filesdeprecated). ## ohos.permission.READ_DOCUMENT Allows an application to access the documents in a user directory. **Permission level**: system_basic **Authorization mode**: user_grant **Since**: 9 **Deprecated from**: 12 **Alternative solution**: See the [alternative solution of the **Files** permission group](app-permission-group-list.md#filesdeprecated). ## ohos.permission.READ_WRITE_DESKTOP_DIRECTORY Allows an application to access the **Desktop** directory and its subdirectories in the user directory. Currently, only applications on 2-in-1 devices and tablets can request this permission. **Permission level**: system_basic **Authorization mode**: user_grant **Since**: 11 ## ohos.permission.ACCESS_DDK_USB Allows extended peripheral drivers to access the USB DDK interfaces to implement development of USB extended peripheral drivers. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 11 ## ohos.permission.ACCESS_DDK_HID Allows extended peripheral drivers to access the HID DDK interfaces to implement development of HID extended peripheral drivers. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 11 ## ohos.permission.READ_PASTEBOARD Allows an application to read **Pasteboard** data. **Permission level**: system_basic **Authorization mode**: user_grant **Since**: 11 ## ohos.permission.FILE_ACCESS_PERSIST Allows an application to support persistent access to file URIs. **Permission level**: normal **Authorization mode**: system_grant **Since**: 11 **Changelog**: The permission level is system_basic in API version 11, and is changed to normal since API version 12. ## ohos.permission.INTERCEPT_INPUT_EVENT Allows an application to intercept input events. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 11 **Changelog**: The permission level is system_core in API version 11, and is changed to system_basic since API version 12. ## ohos.permission.INPUT_MONITORING Allows an application to listen for input events. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 7 **Changelog**: The permission level is system_core in API versions 7 to 11, and is changed to system_basic since API version 12. ## ohos.permission.SHORT_TERM_WRITE_IMAGEVIDEO Allows an application to save images and videos to the user's directory within up to 30 minutes after obtaining the permission. If it exceeds 30 minutes, a dialog box will be displayed again to request user authorization. **Permission level**: system_basic **Authorization mode**: user_grant **Since**: 12 ## ohos.permission.READ_WRITE_USER_FILE Allows an application to access and modify files in user directories. Currently, this permission is available only to 2-in-1 device applications. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 13 ## ohos.permission.READ_WRITE_USB_DEV Allows an application to connect to a device and read and write the device data via USB for debugging purposes. Currently, this permission is available only to 2-in-1 device applications. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 13 ## ohos.permission.GET_WIFI_PEERS_MAC Allows an application to obtain the MAC address of the peer Wi-Fi device. This permission is required if you want to obtain the MAC address of the peer device when obtaining the Wi-Fi scanning result. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 8 **Changelog**: The permission level is system_core in API versions 8 to 13, and is changed to system_basic since API version 14. ## ohos.permission.kernel.DISABLE_CODE_MEMORY_PROTECTION Allows an application to disable its runtime code integrity protection. For the application developed using the cross-platform framework, this permission allows the application to disable its runtime code integrity protection. Currently, this permission is available only to applications running on tablets and 2-in-1 devices. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 14 ## ohos.permission.kernel.ALLOW_WRITABLE_CODE_MEMORY Allows an application to apply for writable and executable anonymous memory. For the application developed using the cross-platform framework, this permission allows the application to apply for writable and executable anonymous memory. Currently, this permission is available only to applications running on tablets and 2-in-1 devices. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 14 ## ohos.permission.kernel.ALLOW_EXECUTABLE_FORT_MEMORY Allows an application to have its system JS engine to apply for anonymous executable memory with the MAP_FORT identifier. After the application has this permission, the system JS engine can request anonymous executable memory with MAP_FORT for just-in-time (JIT) compilation, which increase the runtime execution efficiency. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 14 ## ohos.permission.MANAGE_PASTEBOARD_APP_SHARE_OPTION Allows an application to set or remove the pasteable range of pasteboard data. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 14 ## ohos.permission.MANAGE_UDMF_APP_SHARE_OPTION Allows an application to set or remove the sharing range of the data supported by the UDMF. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 14 ## ohos.permission.ACCESS_DISK_PHY_INFO Allows an application to obtain the disk hardware information. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 15 ## ohos.permission.PRELOAD_FILE Allows an application to preload files to improve the file opening speed. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 15 ## ohos.permission.SET_PAC_URL Allows an application to set the URL of the proxy auto config (PAC) script. After the script address is configured, other applications can read and parse this script and determine whether to use a proxy based on the parsing result. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 15 ## ohos.permission.PERSONAL_MANAGE_RESTRICTIONS Allows a device administrator application to manage personal device restrictions. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 15 ## ohos.permission.START_PROVISIONING_MESSAGE Allows an application to start the device management service deployment process, which activates the application as a personal device administrator application. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 15 ## ohos.permission.USE_FRAUD_CALL_LOG_PICKER Allows an application to use the fraud call log Picker to obtain call logs. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 15 ## ohos.permission.USE_FRAUD_MESSAGES_PICKER Allows an application to use the fraud message Picker to obtain SMS messages. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 15 ## ohos.permission.PERSISTENT_BLUETOOTH_PEERS_MAC Allows an application to persist the virtual random address corresponding to the MAC address of the peer Bluetooth device. With this permission, the application can persist the virtual random address of the peer Bluetooth device obtained via BLE scanning, BR scanning, or listening for connections. The persistent virtual random address can still be used even if Bluetooth is enabled or disabled, or the Bluetooth device is restarted. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 16 ## ohos.permission.ACCESS_VIRTUAL_SCREEN Allows an application to manage virtual screens. With this permission, the application can call APIs to perform virtual screen management, including creating, using, and destroying a virtual screen. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 18 ## ohos.permission.MANAGE_APN_SETTING Allows an application to read or set APN information. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 16 ## ohos.permission.GET_WIFI_LOCAL_MAC Allows an application to obtain the MAC address of the local Wi-Fi device. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 8 **Change history:** For API versions 8 to 15, this permission is available only to system applications. For API versions 16 and later, this permission is available to common applications on PCs/2-in-1 devices, and is available only to system applications on other devices. ## ohos.permission.kernel.ALLOW_USE_JITFORT_INTERFACE Allows an application to call the JITFort API to update the content in MAP_FORT. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 16 ## ohos.permission.kernel.DISABLE_GOTPLT_RO_PROTECTION Allows an application to disable the read-only protection on .got.plt. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 17 ## ohos.permission.USE_FRAUD_APP_PICKER Allows an application to use the fraud app Picker to obtain application information. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 18 ## ohos.permission.ACCESS_DDK_DRIVERS Allows a peripheral extension driver client to bind to the driver server. This permission can be requested successfully only when: 1. The target extension driver server in the value field of the permission declaration for the peripheral extension driver client has been launched or both the server and client have been launched. 2. The capabilities provided by the target extension driver server comply with the requirements of the peripheral extension driver client. **Permission level**: system_basic **Authorization mode**: system_grant **Extra data**: Yes. For details about the configuration method, see [UI-based Driver Development](../../device/driver/externaldevice-guidelines.md#application-signing). **Since**: 18 ## ohos.permission.kernel.SUPPORT_PLUGIN Allows an application to install plugins. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 19 ## ohos.permission.CUSTOM_SANDBOX Allows an application to set the sandbox type to dynamic sandbox. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 18 ## ohos.permission.MANAGE_SCREEN_TIME_GUARD Allows an application to call the screen time guard APIs to restrict screen usage, apply application access control, and control the screen usage time. **Permission level**: system_basic **Authorization mode**: system_grant **Since**: 20 ## ohos.permission.CUSTOMIZE_SAVE_BUTTON Allows an application to customize the icon and text of **SaveButton**. **Permission level**: system_basic **Authorization mode**: system_grant **Device**: general devices **Since**: 20 ## ohos.permission.GET_ABILITY_INFO Allows an application to query **Ability** information based on the URI. **Permission level**: system_basic **Authorization mode**: system_grant **Device**: PCs/2-in-1 devices **Since**: 20 ## ohos.permission.ACCESS_FIDO2_ONLINEAUTH Allows an application to use the Native Development Kit (NDK) of the passkey service. **Permission level**: system_basic **Authorization mode**: system_grant **Device**: phones | PCs/2-in-1 devices | tablets **Since**: 20 ## ohos.permission.USE_FLOAT_BALL Allows an application to use the global float ball. **Permission level**: system_basic **Authorization mode**: system_grant **Device**: phones | tablets **Since**: 20 ## ohos.permission.DLP_GET_HIDE_STATUS Allows an application to use the information hiding APIs to obtain the information hiding status. With this permission, the application can obtain the current screen peeping state, that is, whether the screen is being peeped by others. **Permission level**: system_basic **Authorization mode**: system_grant **Device**: phones **Since**: 18 **Changelog**: This permission is available only to system applications in API versions 18 to 19. From API version 20, it's also available to normal applications. ## ohos.permission.READ_LOCAL_DEVICE_NAME Allows an application to obtain the local device name. With this permission, the application can obtain the device name on the **About** screen in **Settings**. Without this permission, the application can only obtain the default device name. **Permission level**: system_basic **Authorization mode**: system_grant **Device**: phones | PCs/2-in-1 devices | tablets **Since**: 20 ## ohos.permission.atomicService.MANAGE_STORAGE Allows an atomic service to request differentiated storage space. **Permission level**: system_basic **Authorization mode**: system_grant **Device**: phones | PCs/2-in-1 devices | tablets **Since**: 20 ## ohos.permission.KEEP_BACKGROUND_RUNNING_SYSTEM Allows an application to request continuous tasks of special types, such as computing tasks. **Permission level**: system_basic **Authorization mode**: system_grant **Device**: general devices **Since**: 20 ## ohos.permission.LINKTURBO Allows an application to achieve multipath transmission. With this permission, the application can initiate operations such as multi-network activation, monitoring, and release for multipath transmission. **Permission level**: system_basic **Authorization mode**: system_grant **Device**: phones | PCs/2-in-1 devices | tablets **Since**: 20 ## ohos.permission.ACCESS_NET_TRACE_INFO Allows an application to detect the network and obtain the TraceRoute information to determine the possible causes of high network latency. **Permission level**: system_basic **Authorization mode**: system_grant **Device**: general devices **Since**: 20