1# Restricted Permissions 2 3<!--Kit: ArkUI--> 4<!--Subsystem: Security--> 5<!--Owner: @harylee--> 6<!--SE: @linshuqing; @hehehe-li--> 7<!--TSE: @leiyuqian--> 8 9## How to Request 10 11<!--RP1--> 12 13Restricted permissions are permissions available to normal applications but must be requested via [access control list (ACL)](app-permission-mgmt-overview.md#basic-concepts-in-the-permission-mechanism). 14 15To change the APL of a normal application to system_basic or system_core, modify the HarmonyAppProvision file (**Toolchains / _{Version} _/ lib / UnsgnedReleasedProfileTemplate.json** file in the SDK directory) of the application when developing the application installation package, and sign the application again. 16 17**Modification mode**: 18 19Modify the **"bundle-info"** > **"apl"** field in the file. 20 21```json 22"bundle-info" : { 23 // ... 24 "apl": "system_basic", 25 // ... 26}, 27``` 28 29> **NOTE** 30> Modifying the HarmonyAppProvision configuration file applies to the applications in the debug phase, but not to the applications released to the app market. For a commercial application, apply for a release certificate and profile in the app market. 31 32<!--RP1End--> 33 34## ohos.permission.SYSTEM_FLOAT_WINDOW 35 36Allows an application to be displayed in a floating window on top of other applications. 37 38<!--RP25--><!--RP25End--> 39 40**Permission level**: system_basic 41 42**Authorization mode**: system_grant 43 44**Since**: 7 45 46## ohos.permission.READ_CONTACTS 47 48Allows an application to read **Contacts**. 49 50<!--RP33--><!--RP33End--> 51 52**Permission level**: system_basic 53 54**Authorization mode**: user_grant 55 56**Since**: 8 57 58## ohos.permission.WRITE_CONTACTS 59 60Allows an application to add, remove, and modify **Contacts**. 61 62<!--RP34--><!--RP34End--> 63 64**Permission level**: system_basic 65 66**Authorization mode**: user_grant 67 68**Since**: 8 69 70## ohos.permission.READ_AUDIO 71 72Allows an application to access the audio files in a user directory. 73 74<!--RP26--><!--RP26End--> 75 76**Permission level**: system_basic 77 78**Authorization mode**: user_grant 79 80**Since**: 9 81 82## ohos.permission.WRITE_AUDIO 83 84Allows an application to modify the audio files in a user directory. 85 86<!--RP28--><!--RP28End--> 87 88**Permission level**: system_basic 89 90**Authorization mode**: user_grant 91 92**Since**: 9 93 94## ohos.permission.READ_IMAGEVIDEO 95 96Allows an application to access the images/videos in a user directory. 97 98<!--RP27--><!--RP27End--> 99 100**Permission level**: system_basic 101 102**Authorization mode**: user_grant 103 104**Since**: 9 105 106## ohos.permission.WRITE_IMAGEVIDEO 107 108Allows an application to modify the images/videos in a user directory. 109 110<!--RP29--><!--RP29End--> 111 112**Permission level**: system_basic 113 114**Authorization mode**: user_grant 115 116**Since**: 9 117 118<!--Del--> 119## ohos.permission.WRITE_DOCUMENT 120 121Allows an application to modify the documents in a user directory. 122 123**Permission level**: system_basic 124 125**Authorization mode**: user_grant 126 127**Since**: 9 128 129**Deprecated from**: 12 130 131**Alternative solution**: 132 133See the [alternative solution of the **Files** permission group](app-permission-group-list.md#filesdeprecated). 134 135## ohos.permission.READ_DOCUMENT 136 137Allows an application to access the documents in a user directory. 138 139**Permission level**: system_basic 140 141**Authorization mode**: user_grant 142 143**Since**: 9 144 145**Deprecated from**: 12 146 147**Alternative solution**: 148 149See the [alternative solution of the **Files** permission group](app-permission-group-list.md#filesdeprecated). 150<!--DelEnd--> 151 152## ohos.permission.READ_WRITE_DESKTOP_DIRECTORY 153 154Allows an application to access the **Desktop** directory and its subdirectories in the user directory. 155 156<!--RP15--> 157Currently, only applications on 2-in-1 devices and tablets can request this permission. 158<!--RP15End--> 159 160**Permission level**: system_basic 161 162**Authorization mode**: user_grant 163 164**Since**: 11 165 166## ohos.permission.ACCESS_DDK_USB 167 168Allows extended peripheral drivers to access the USB DDK interfaces to implement development of USB extended peripheral drivers. 169 170<!--RP31--><!--RP31End--> 171 172**Permission level**: system_basic 173 174**Authorization mode**: system_grant 175 176**Since**: 11 177 178## ohos.permission.ACCESS_DDK_HID 179 180Allows extended peripheral drivers to access the HID DDK interfaces to implement development of HID extended peripheral drivers. 181 182<!--RP30--><!--RP30End--> 183 184**Permission level**: system_basic 185 186**Authorization mode**: system_grant 187 188**Since**: 11 189 190## ohos.permission.READ_PASTEBOARD 191 192Allows an application to read **Pasteboard** data. 193 194<!--RP32--><!--RP32End--> 195 196**Permission level**: system_basic 197 198**Authorization mode**: user_grant 199 200**Since**: 11 201 202## ohos.permission.FILE_ACCESS_PERSIST 203 204Allows an application to support persistent access to file URIs. 205 206<!--RP18--><!--RP18End--> 207 208**Permission level**: normal 209 210**Authorization mode**: system_grant 211 212**Since**: 11 213 214**Changelog**: The permission level is system_basic in API version 11, and is changed to normal since API version 12. 215 216## ohos.permission.INTERCEPT_INPUT_EVENT 217 218Allows an application to intercept input events. 219 220<!--RP24--><!--RP24End--> 221 222**Permission level**: system_basic 223 224**Authorization mode**: system_grant 225 226**Since**: 11 227 228**Changelog**: The permission level is system_core in API version 11, and is changed to system_basic since API version 12. 229 230## ohos.permission.INPUT_MONITORING 231 232Allows an application to listen for input events. 233 234<!--RP23--><!--RP23End--> 235 236**Permission level**: system_basic 237 238**Authorization mode**: system_grant 239 240**Since**: 7 241 242**Changelog**: The permission level is system_core in API versions 7 to 11, and is changed to system_basic since API version 12. 243 244## ohos.permission.SHORT_TERM_WRITE_IMAGEVIDEO 245 246Allows an application to save images and videos to the user's directory within 247 248up to 30 minutes after obtaining the permission. If it exceeds 30 minutes, a dialog box will be displayed again to request user authorization. 249 250<!--RP21--><!--RP21End--> 251 252**Permission level**: system_basic 253 254**Authorization mode**: user_grant 255 256**Since**: 12 257 258## ohos.permission.READ_WRITE_USER_FILE 259 260Allows an application to access and modify files in user directories. 261 262<!--RP19--> 263Currently, this permission is available only to 2-in-1 device applications. 264<!--RP19End--> 265 266**Permission level**: system_basic 267 268**Authorization mode**: system_grant 269 270**Since**: 13 271 272## ohos.permission.READ_WRITE_USB_DEV 273 274Allows an application to connect to a device and read and write the device data via USB for debugging purposes. 275 276<!--RP20--> 277Currently, this permission is available only to 2-in-1 device applications. 278<!--RP20End--> 279 280**Permission level**: system_basic 281 282**Authorization mode**: system_grant 283 284**Since**: 13 285 286## ohos.permission.GET_WIFI_PEERS_MAC 287 288Allows an application to obtain the MAC address of the peer Wi-Fi device. 289 290This permission is required if you want to obtain the MAC address of the peer device when obtaining the Wi-Fi scanning result. 291 292<!--RP14--><!--RP14End--> 293 294**Permission level**: system_basic 295 296**Authorization mode**: system_grant 297 298**Since**: 8 299 300**Changelog**: The permission level is system_core in API versions 8 to 13, and is changed to system_basic since API version 14. 301 302## ohos.permission.kernel.DISABLE_CODE_MEMORY_PROTECTION 303 304Allows an application to disable its runtime code integrity protection. 305 306<!--RP11--> 307For the application developed using the cross-platform framework, this permission allows the application to disable its runtime code integrity protection. Currently, this permission is available only to applications running on tablets and 2-in-1 devices. 308<!--RP11End--> 309 310**Permission level**: system_basic 311 312**Authorization mode**: system_grant 313 314**Since**: 14 315 316## ohos.permission.kernel.ALLOW_WRITABLE_CODE_MEMORY 317 318Allows an application to apply for writable and executable anonymous memory. 319 320<!--RP10--> 321For the application developed using the cross-platform framework, this permission allows the application to apply for writable and executable anonymous memory. Currently, this permission is available only to applications running on tablets and 2-in-1 devices. 322<!--RP10End--> 323 324**Permission level**: system_basic 325 326**Authorization mode**: system_grant 327 328**Since**: 14 329 330## ohos.permission.kernel.ALLOW_EXECUTABLE_FORT_MEMORY 331 332Allows an application to have its system JS engine to apply for anonymous executable memory with the MAP_FORT identifier. 333 334After the application has this permission, the system JS engine can request anonymous executable memory with MAP_FORT for just-in-time (JIT) compilation, which increase the runtime execution efficiency. 335 336<!--RP13--><!--RP13End--> 337 338**Permission level**: system_basic 339 340**Authorization mode**: system_grant 341 342**Since**: 14 343 344## ohos.permission.MANAGE_PASTEBOARD_APP_SHARE_OPTION 345 346Allows an application to set or remove the pasteable range of pasteboard data. 347 348<!--RP16--><!--RP16End--> 349 350**Permission level**: system_basic 351 352**Authorization mode**: system_grant 353 354**Since**: 14 355 356## ohos.permission.MANAGE_UDMF_APP_SHARE_OPTION 357 358Allows an application to set or remove the sharing range of the data supported by the UDMF. 359 360<!--RP17--><!--RP17End--> 361 362**Permission level**: system_basic 363 364**Authorization mode**: system_grant 365 366**Since**: 14 367 368## ohos.permission.ACCESS_DISK_PHY_INFO 369 370Allows an application to obtain the disk hardware information. 371 372<!--RP3--><!--RP3End--> 373 374**Permission level**: system_basic 375 376**Authorization mode**: system_grant 377 378**Since**: 15 379 380## ohos.permission.PRELOAD_FILE 381 382Allows an application to preload files to improve the file opening speed. 383 384<!--RP9--><!--RP9End--> 385 386**Permission level**: system_basic 387 388**Authorization mode**: system_grant 389 390**Since**: 15 391 392## ohos.permission.SET_PAC_URL 393 394Allows an application to set the URL of the proxy auto config (PAC) script. 395 396After the script address is configured, other applications can read and parse this script and determine whether to use a proxy based on the parsing result. 397 398<!--RP4--><!--RP4End--> 399 400**Permission level**: system_basic 401 402**Authorization mode**: system_grant 403 404**Since**: 15 405 406## ohos.permission.PERSONAL_MANAGE_RESTRICTIONS 407 408Allows a device administrator application to manage personal device restrictions. 409 410<!--RP7--><!--RP7End--> 411 412**Permission level**: system_basic 413 414**Authorization mode**: system_grant 415 416**Since**: 15 417 418## ohos.permission.START_PROVISIONING_MESSAGE 419 420Allows an application to start the device management service deployment process, which activates the application as a personal device administrator application. 421 422<!--RP8--><!--RP8End--> 423 424**Permission level**: system_basic 425 426**Authorization mode**: system_grant 427 428**Since**: 15 429 430## ohos.permission.USE_FRAUD_CALL_LOG_PICKER 431 432Allows an application to use the fraud call log Picker to obtain call logs. 433 434<!--RP5--><!--RP5End--> 435 436**Permission level**: system_basic 437 438**Authorization mode**: system_grant 439 440**Since**: 15 441 442## ohos.permission.USE_FRAUD_MESSAGES_PICKER 443 444Allows an application to use the fraud message Picker to obtain SMS messages. 445 446<!--RP6--><!--RP6End--> 447 448**Permission level**: system_basic 449 450**Authorization mode**: system_grant 451 452**Since**: 15 453 454## ohos.permission.PERSISTENT_BLUETOOTH_PEERS_MAC 455 456Allows an application to persist the virtual random address corresponding to the MAC address of the peer Bluetooth device. 457 458With this permission, the application can persist the virtual random address of the peer Bluetooth device obtained via BLE scanning, BR scanning, or listening for connections. The persistent virtual random address can still be used even if Bluetooth is enabled or disabled, or the Bluetooth device is restarted. 459 460<!--RP36--><!--RP36End--> 461 462**Permission level**: system_basic 463 464**Authorization mode**: system_grant 465 466**Since**: 16 467 468## ohos.permission.ACCESS_VIRTUAL_SCREEN 469 470Allows an application to manage virtual screens. 471 472With this permission, the application can call APIs to perform virtual screen management, including creating, using, and destroying a virtual screen. 473 474<!--RP37--><!--RP37End--> 475 476**Permission level**: system_basic 477 478**Authorization mode**: system_grant 479 480**Since**: 18 481 482## ohos.permission.MANAGE_APN_SETTING 483 484Allows an application to read or set APN information. 485 486<!--RP38--><!--RP38End--> 487 488**Permission level**: system_basic 489 490**Authorization mode**: system_grant 491 492**Since**: 16 493 494## ohos.permission.GET_WIFI_LOCAL_MAC 495 496Allows an application to obtain the MAC address of the local Wi-Fi device. 497 498<!--RP43--><!--RP43End--> 499 500**Permission level**: system_basic 501 502**Authorization mode**: system_grant 503 504**Since**: 8 505 506**Change history:** For API versions 8 to 15, this permission is available only to system applications. For API versions 16 and later, this permission is available to common applications on PCs/2-in-1 devices, and is available only to system applications on other devices. 507 508## ohos.permission.kernel.ALLOW_USE_JITFORT_INTERFACE 509 510Allows an application to call the JITFort API to update the content in MAP_FORT. 511 512<!--RP12--><!--RP12End--> 513 514**Permission level**: system_basic 515 516**Authorization mode**: system_grant 517 518**Since**: 16 519 520## ohos.permission.kernel.DISABLE_GOTPLT_RO_PROTECTION 521 522Allows an application to disable the read-only protection on .got.plt. 523 524<!--RP22--><!--RP22End--> 525 526**Permission level**: system_basic 527 528**Authorization mode**: system_grant 529 530**Since**: 17 531 532## ohos.permission.USE_FRAUD_APP_PICKER 533 534Allows an application to use the fraud app Picker to obtain application information. 535 536<!--RP2--><!--RP2End--> 537 538**Permission level**: system_basic 539 540**Authorization mode**: system_grant 541 542**Since**: 18 543 544## ohos.permission.ACCESS_DDK_DRIVERS 545 546Allows a peripheral extension driver client to bind to the driver server. 547 548This permission can be requested successfully only when: 549 5501. The target extension driver server in the value field of the permission declaration for the peripheral extension driver client has been launched or both the server and client have been launched. 5512. The capabilities provided by the target extension driver server comply with the requirements of the peripheral extension driver client. 552 553**Permission level**: system_basic 554 555**Authorization mode**: system_grant 556 557**Extra data**: Yes. For details about the configuration method, see [UI-based Driver Development](../../device/driver/externaldevice-guidelines.md#application-signing). 558 559**Since**: 18 560 561## ohos.permission.kernel.SUPPORT_PLUGIN 562 563Allows an application to install plugins. 564 565<!--RP35--><!--RP35End--> 566 567**Permission level**: system_basic 568 569**Authorization mode**: system_grant 570 571**Since**: 19 572 573## ohos.permission.CUSTOM_SANDBOX 574 575Allows an application to set the sandbox type to dynamic sandbox. 576 577<!--RP39--><!--RP39End--> 578 579**Permission level**: system_basic 580 581**Authorization mode**: system_grant 582 583**Since**: 18 584 585## ohos.permission.MANAGE_SCREEN_TIME_GUARD 586 587Allows an application to call the screen time guard APIs to restrict screen usage, apply application access control, and control the screen usage time. 588 589<!--RP40--><!--RP40End--> 590 591**Permission level**: system_basic 592 593**Authorization mode**: system_grant 594 595**Since**: 20 596 597## ohos.permission.CUSTOMIZE_SAVE_BUTTON 598 599Allows an application to customize the icon and text of **SaveButton**. 600 601<!--RP41--><!--RP41End--> 602 603**Permission level**: system_basic 604 605**Authorization mode**: system_grant 606 607**Device**: general devices 608 609**Since**: 20 610 611## ohos.permission.GET_ABILITY_INFO 612 613Allows an application to query **Ability** information based on the URI. 614 615<!--RP42--><!--RP42End--> 616 617**Permission level**: system_basic 618 619**Authorization mode**: system_grant 620 621**Device**: PCs/2-in-1 devices 622 623**Since**: 20 624 625## ohos.permission.ACCESS_FIDO2_ONLINEAUTH 626 627Allows an application to use the Native Development Kit (NDK) of the passkey service. 628 629<!--RP45--><!--RP45End--> 630 631**Permission level**: system_basic 632 633**Authorization mode**: system_grant 634 635**Device**: phones | PCs/2-in-1 devices | tablets 636 637**Since**: 20 638 639## ohos.permission.USE_FLOAT_BALL 640 641Allows an application to use the global float ball. 642 643<!--RP46--><!--RP46End--> 644 645**Permission level**: system_basic 646 647**Authorization mode**: system_grant 648 649**Device**: phones | tablets 650 651**Since**: 20 652 653## ohos.permission.DLP_GET_HIDE_STATUS 654 655Allows an application to use the information hiding APIs to obtain the information hiding status. 656 657With this permission, the application can obtain the current screen peeping state, that is, whether the screen is being peeped by others. 658 659<!--RP44--><!--RP44End--> 660 661**Permission level**: system_basic 662 663**Authorization mode**: system_grant 664 665**Device**: phones 666 667**Since**: 18 668 669**Changelog**: This permission is available only to system applications in API versions 18 to 19. From API version 20, it's also available to normal applications. 670 671## ohos.permission.READ_LOCAL_DEVICE_NAME 672 673Allows an application to obtain the local device name. 674 675With this permission, the application can obtain the device name on the **About** screen in **Settings**. Without this permission, the application can only obtain the default device name. 676 677<!--RP47--><!--RP47End--> 678 679**Permission level**: system_basic 680 681**Authorization mode**: system_grant 682 683**Device**: phones | PCs/2-in-1 devices | tablets 684 685**Since**: 20 686 687<!--Del--> 688## ohos.permission.atomicService.MANAGE_STORAGE 689 690Allows an atomic service to request differentiated storage space. 691 692**Permission level**: system_basic 693 694**Authorization mode**: system_grant 695 696**Device**: phones | PCs/2-in-1 devices | tablets 697 698**Since**: 20 699<!--DelEnd--> 700 701## ohos.permission.KEEP_BACKGROUND_RUNNING_SYSTEM 702 703Allows an application to request continuous tasks of special types, such as computing tasks. 704 705<!--RP48--><!--RP48End--> 706 707**Permission level**: system_basic 708 709**Authorization mode**: system_grant 710 711**Device**: general devices 712 713**Since**: 20 714 715## ohos.permission.LINKTURBO 716 717Allows an application to achieve multipath transmission. 718 719With this permission, the application can initiate operations such as multi-network activation, monitoring, and release for multipath transmission. 720 721<!--RP49--><!--RP49End--> 722 723**Permission level**: system_basic 724 725**Authorization mode**: system_grant 726 727**Device**: phones | PCs/2-in-1 devices | tablets 728 729**Since**: 20 730 731## ohos.permission.ACCESS_NET_TRACE_INFO 732 733Allows an application to detect the network and obtain the TraceRoute information to determine the possible causes of high network latency. 734 735<!--RP50--><!--RP50End--> 736 737**Permission level**: system_basic 738 739**Authorization mode**: system_grant 740 741**Device**: general devices 742 743**Since**: 20 744