1# Permissions for Enterprise Applications 2 3<!--Kit: ArkUI--> 4<!--Subsystem: Security--> 5<!--Owner: @harylee--> 6<!--SE: @linshuqing; @hehehe-li--> 7<!--TSE: @leiyuqian--> 8 9The following permissions are open to <!--Del-->system applications and <!--DelEnd-->enterprise applications. 10 11Enterprise applications include normal enterprise applications and mobile device management (MDM) applications. 12 13Enterprise applications have the following characteristics: 14 15- It runs only on enterprise-customized devices and does not run on common consumer devices. 16- The distribution types are enterprise_normal (normal enterprise applications) and enterprise_mdm (MDM applications). 17<!--RP1--><!--RP1End--> 18 19For details about how to request the permissions for enterprise applications, see [declaring permissions](declare-permissions.md). 20 21> **NOTE** 22> 23> The following permissions do not support automatic code signing. You must [manually sign the code](https://developer.huawei.com/consumer/en/doc/harmonyos-guides/ide-signing#section297715173233) during the debugging and release phases. 24 25## ohos.permission.SET_FILE_GUARD_POLICY 26 27Allows an application to update the file guard policy. 28 29**Permission level**: system_basic 30 31**Authorization mode**: system_grant 32 33<!--Del--> 34**Enable via ACL**: true<!--DelEnd--> 35 36**Valid since**: 10 37 38**Changelog**: For API versions 10 to 14, this permission is of the system_core level and available only to MDM applications. Starting from API version 14, the permission level is changed to system_basic and this permission is accessible to normal enterprise applications. 39 40## ohos.permission.FILE_GUARD_MANAGER 41 42Allows an application to scan media and sandbox and set file extended properties. 43 44Currently, the extended attributes include the file security level and file label. 45 46**Permission level**: system_basic 47 48**Authorization mode**: system_grant 49 50<!--Del--> 51**Enable via ACL**: true<!--DelEnd--> 52 53**Valid since**: 10 54 55**Changelog**: For API versions 10 to 14, this permission is of the system_core level and available only to MDM applications. Starting from API version 14, the permission level is changed to system_basic and this permission is accessible to normal enterprise applications. 56 57## ohos.permission.FILE_GUARD_FILE_WRITE 58 59Allows an enterprise application to modify files. 60 61With this permission, the application can obtain the write permission on user files and modify them. 62 63**Permission level**: system_basic 64 65**Authorization mode**: system_grant 66 67<!--Del--> 68**Enable via ACL**: true<!--DelEnd--> 69 70**Supported devices**: PCs/2-in-1 devices 71 72**Valid since**: 20 73 74## ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS 75 76Allows an application to interact across local accounts. 77 78**Permission level**: system_basic 79 80**Authorization mode**: system_grant 81 82<!--Del--> 83**Enable via ACL**: true<!--DelEnd--> 84 85**Valid since**: 7 86 87**Changelog**: This permission is available only to system applications in API versions 7 to 13. From API version 14, it is available to normal enterprise applications. 88 89## ohos.permission.GET_RUNNING_INFO 90 91Allows an application to obtain running status information of another application. 92 93With this permission, the application can obtain the runtime information of other applications, including the **Ability**, **Extension**, and **Application** information. 94 95**Permission level**: system_basic 96 97**Authorization mode**: system_grant 98 99<!--Del--> 100**Enable via ACL**: true<!--DelEnd--> 101 102**Valid since**: 7 103 104**Changelog**: This permission is available only to system applications in API versions 7 to 13. From API version 14, it is available to normal enterprise applications. 105 106## ohos.permission.RUNNING_STATE_OBSERVER 107 108Allows an application to listen for the state of another application. 109 110**Permission level**: system_basic 111 112**Authorization mode**: system_grant 113 114<!--Del--> 115**Enable via ACL**: true<!--DelEnd--> 116 117**Valid since**: 7 118 119**Changelog**: This permission is available only to system applications in API versions 7 to 13. From API version 14, it is available to normal enterprise applications. 120 121## ohos.permission.GET_BUNDLE_INFO_PRIVILEGED 122 123Allows an application to obtain basic information and sensitive information about another application, 124 125such as the app bundle name and version. 126 127**Permission level**: system_basic 128 129**Authorization mode**: system_grant 130 131<!--Del--> 132**Enable via ACL**: true<!--DelEnd--> 133 134**Valid since**: 7 135 136**Changelog**: This permission is available only to system applications in API versions 7 to 13. From API version 14, it is available to normal enterprise applications. 137 138## ohos.permission.GET_WIFI_CONFIG 139 140Allows an application to obtain the Wi-Fi configuration. 141 142**Permission level**: system_basic 143 144**Authorization mode**: system_grant 145 146**Supported devices**: PCs/2-in-1 devices 147 148<!--Del--> 149**Enable via ACL**: true<!--DelEnd--> 150 151**Valid since**: 8 152 153**Changelog**: This permission is available only to system applications in API versions 8 to 14. From API version 15, it is available to normal enterprise applications. 154 155## ohos.permission.SET_WIFI_CONFIG 156 157Allows an application to configure Wi-Fi information. 158 159With this permission, the application can add and delete Wi-Fi networks, and modify Wi-Fi configurations. 160 161**Permission level**: system_basic 162 163**Authorization mode**: system_grant 164 165<!--Del--> 166**Enable via ACL**: true<!--DelEnd--> 167 168**Valid since**: 8 169 170**Changelog**: This permission is available only to system applications in API versions 8 to 14. From API version 15, it is available to normal enterprise applications. 171 172## ohos.permission.GET_DOMAIN_ACCOUNTS 173 174Allows an application to obtain domain account information. 175 176**Permission level**: system_basic 177 178**Authorization mode**: system_grant 179 180<!--Del--> 181**Enable via ACL**: true<!--DelEnd--> 182 183**Valid since**: 10 184 185**Changelog**: This permission is available only to system applications in API versions 10 to 13. From API version 14, it is available to normal enterprise applications. 186 187## ohos.permission.QUERY_AUDIT_EVENT 188 189Allows an enterprise security application to query security audit events. 190 191**Permission level**: system_basic 192 193**Authorization mode**: system_grant 194 195<!--Del--> 196**Enable via ACL**: true<!--DelEnd--> 197 198**Valid since**: 12 199 200**Changelog**: This permission is available only to MDM applications in API versions 12 to 13. From API version 14, it is available to normal enterprise applications. 201 202## ohos.permission.KILL_APP_PROCESSES 203 204Allows a system application to kill other application processes. 205 206With this permission, the system application can terminate other running applications and manage processes in the system when necessary. 207 208**Permission level**: system_basic 209 210**Authorization mode**: system_grant 211 212<!--Del--> 213**Enable via ACL**: true<!--DelEnd--> 214 215**Valid since**: 12 216 217**Changelog**: This permission is available only to system applications in API versions 7 to 13. From API version 14, it is available to normal enterprise applications. 218 219## ohos.permission.SET_TELEPHONY_ESIM_STATE_OPEN 220 221Allows a system application or carrier application to set the eSIM nickname and activate the eSIM. 222 223**Permission level**: system_basic 224 225**Authorization mode**: system_grant 226 227<!--Del--> 228**Enable via ACL**: true<!--DelEnd--> 229 230**Valid since**: 14 231 232**Changelog**: The permission level is **normal** in API versions 13 and **system_basic** since API versions 14. 233 234## ohos.permission.MANAGE_ENTERPRISE_WIFI_CONNECTION 235 236Allows an application to manage Wi-Fi connections. 237 238With this permission, the application can enable or disable Wi-Fi, connect to Wi-Fi, and disconnect from Wi-Fi. 239 240**Permission level**: system_basic 241 242**Authorization mode**: system_grant 243 244**Enable via ACL**: true 245 246**Valid since**: 15 247 248## ohos.permission.ACCESS_ENTERPRISE_USER_TRUSTED_CERT 249 250Allows an application to access the user CA certificates of enterprise devices. 251 252With this permission, the enterprise application can install private CA certificates on enterprise devices and manage the installed certificates. 253 254**Permission level**: system_basic 255 256**Authorization mode**: system_grant 257 258<!--Del--> 259**Enable via ACL**: true<!--DelEnd--> 260 261**Valid since**: 18 262 263## ohos.permission.MANAGE_NET_FIREWALL 264 265Allows a system application to configure firewall rules. 266 267Currently, this permission is available only to 2-in-1 device applications. 268 269**Permission level**: system_basic 270 271**Authorization mode**: system_grant 272 273<!--Del--> 274**Enable via ACL**: true<!--DelEnd--> 275 276**Valid since**: 12 277 278**Changelog**: This permission is available only to system applications in API versions 12 to 14. From API version 15, it is available to normal enterprise applications. 279 280## ohos.permission.GET_NET_FIREWALL 281 282Allows a system application to obtain firewall rules and firewall interception records. 283 284Currently, this permission is available only to 2-in-1 device applications. 285 286**Permission level**: system_basic 287 288**Authorization mode**: system_grant 289 290<!--Del--> 291**Enable via ACL**: true<!--DelEnd--> 292 293**Valid since**: 12 294 295**Changelog**: This permission is available only to system applications in API versions 12 to 14. From API version 15, it is available to normal enterprise applications. 296 297## ohos.permission.GET_DOMAIN_ACCOUNT_SERVER_CONFIGS 298 299Allows an application to obtain domain account server configurations. 300 301**Permission level**: system_basic 302 303**Authorization mode**: system_grant 304 305<!--Del--> 306**Enable via ACL**: true<!--DelEnd--> 307 308**Valid since**: 18 309 310## ohos.permission.MANAGE_DOMAIN_ACCOUNT_SERVER_CONFIGS 311 312Allows an application to manage domain account server configurations. 313 314**Permission level**: system_basic 315 316**Authorization mode**: system_grant 317 318<!--Del--> 319**Enable via ACL**: true<!--DelEnd--> 320 321**Valid since**: 18 322 323## ohos.permission.MANAGE_DOMAIN_ACCOUNTS 324 325Allows an application to manage domain accounts. 326 327**Permission level**: system_basic 328 329**Authorization mode**: system_grant 330 331<!--Del--> 332**Enable via ACL**: true<!--DelEnd--> 333 334**Valid since**: 18 335 336## ohos.permission.GET_SIGNATURE_INFO 337 338Allows an application to obtain the application package signature information. 339 340**Permission level**: system_basic 341 342**Authorization mode**: system_grant 343 344<!--Del--> 345**Enable via ACL**: true<!--DelEnd--> 346 347**Valid since**: 18 348 349## ohos.permission.VISIBLE_WINDOW_INFO 350 351Allows an application to obtain visible window information of the current screen. 352 353**Permission level**: system_basic 354 355**Authorization mode**: system_grant 356 357<!--Del--> 358**Enable via ACL**: true<!--DelEnd--> 359 360**Valid since**: 18 361 362## ohos.permission.kernel.AUTH_AUDIT_EVENT 363 364Allows an enterprise security application to block security audit events. 365 366With this permission, the enterprise security application can block security audit events, including file creation, opening, and deletion. 367 368**Permission level**: system_basic 369 370**Authorization mode**: system_grant 371 372<!--Del--> 373**Enable via ACL**: true<!--DelEnd--> 374 375**Supported devices**: PCs/2-in-1 devices 376 377**Valid since**: 20 378 379## ohos.permission.SUPPORT_APP_SERVICE_EXTENSION 380 381Allows an application to be started as an **AppServiceExtension**. 382 383With this permission, the application can be started or connected as an **AppServiceExtension** by the same application or an application in the **appidentifierAllowList** configuration. 384 385**Permission level**: system_basic 386 387**Authorization mode**: system_grant 388 389<!--Del--> 390**Enable via ACL**: true<!--DelEnd--> 391 392**Supported devices**: PCs/2-in-1 devices 393 394**Valid since**: 20 395 396## ohos.permission.ENTERPRISE_MANAGE_EAP 397 398Allows enterprise network security software to add private information to EAP packets. 399 400With this permission, the software can obtain 802.1X packets and add information to complete custom authentication. 401 402**Permission level**: system_basic 403 404**Authorization mode**: system_grant 405 406<!--Del--> 407**Enable via ACL**: true<!--DelEnd--> 408 409**Supported devices**: PCs/2-in-1 devices 410 411**Valid since**: 20 412 413## ohos.permission.SUPPORT_INSTALL_ON_U1 414 415Allows an application to be installed under User1. 416 417User1 is a user who supports third-party applications running in singleton mode. 418 419**Permission level**: system_basic 420 421**Authorization mode**: system_grant 422 423<!--Del--> 424**Enable via ACL**: true<!--DelEnd--> 425 426**Supported devices**: PCs/2-in-1 devices 427 428**Valid since**: 20 429 430## ohos.permission.QUERY_LOCAL_WORKSPACES 431 432Allows a normal enterprise application to query workspaces and the list of workspaces that cannot be deleted. 433 434With this permission, the application can query the basic information about workspaces and the workspaces that cannot be deleted. 435 436**Permission level**: system_basic 437 438**Authorization mode**: system_grant 439 440<!--Del--> 441**Enable via ACL**: true<!--DelEnd--> 442 443**Supported devices**: PCs/2-in-1 devices 444 445**Valid since**: 20 446 447## ohos.permission.SET_NET_EXT_ATTRIBUTE 448 449Allows an application to set network-specific extended attributes. 450 451With this permission, the application can specify whether a network is identified as internal or external. 452 453**Permission level**: system_basic 454 455**Authorization mode**: system_grant 456 457<!--Del--> 458**Enable via ACL**: true<!--DelEnd--> 459 460**Supported devices**: PCs/2-in-1 devices 461 462**Valid since**: 20 463 464## ohos.permission.MANAGE_ANTIVIRUS 465 466Allows an enterprise application to manage antivirus software. 467 468**Permission level**: system_basic 469 470**Authorization mode**: system_grant 471 472<!--Del--> 473**Enable via ACL**: true<!--DelEnd--> 474 475**Supported devices**: phones | PCs/2-in-1 devices | tablets 476 477**Valid since**: 20 478 479## ohos.permission.REGISTER_ANTIVIRUS 480 481Allows enterprise antivirus software to register with the system and update basic information. 482 483**Permission level**: system_basic 484 485**Authorization mode**: system_grant 486 487<!--Del--> 488**Enable via ACL**: true<!--DelEnd--> 489 490**Supported devices**: phones | PCs/2-in-1 devices | tablets 491 492**Valid since**: 20 493 494## ohos.permission.CALL_TPM_CMD 495 496Allows an application to call Trusted Platform Module (TPM) commands. 497 498**Permission level**: system_basic 499 500**Authorization mode**: system_grant 501 502<!--Del--> 503**Enable via ACL**: true<!--DelEnd--> 504 505**Supported devices**: PCs/2-in-1 devices 506 507**Valid since**: 20 508 509## ohos.permission.ENTERPRISE_WORKSPACES_EVENT_SUBSCRIBE 510 511Allows an enterprise application to subscribe to events related to the enterprise workspace. 512 513With this permission, the application can call **spaceManager.subscribeEvent** or **spaceManager.unsubscribeEvent** to subscribe to or unsubscribe from events related to the enterprise workspace. 514 515**Permission level**: system_basic 516 517**Authorization mode**: system_grant 518 519<!--Del--> 520**Enable via ACL**: true<!--DelEnd--> 521 522**Supported devices**: PCs/2-in-1 devices 523 524**Valid since**: 20 525