1# @ohos.abilityAccessCtrl (Application Access Control) 2 3The **abilityAccessCtrl** module provides APIs for application permission management, including authentication, authorization, and revocation. 4 5> **NOTE** 6> 7> The initial APIs of this module are supported since API version 8. Newly added APIs will be marked with a superscript to indicate their earliest API version. 8 9## Modules to Import 10 11```ts 12import abilityAccessCtrl from '@ohos.abilityAccessCtrl' 13``` 14 15## abilityAccessCtrl.createAtManager 16 17createAtManager(): AtManager 18 19Creates an **AtManager** instance, which is used for application access control. 20 21**System capability**: SystemCapability.Security.AccessToken 22 23 24**Return value** 25 26| Type| Description| 27| -------- | -------- | 28| [AtManager](#atmanager) | **AtManager** instance created.| 29 30**Example** 31 32```ts 33let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 34``` 35 36## AtManager 37 38Provides APIs for application access control. 39 40### checkAccessToken<sup>9+</sup> 41 42checkAccessToken(tokenID: number, permissionName: Permissions): Promise<GrantStatus> 43 44Checks whether a permission is granted to an application. This API uses a promise to return the result. 45 46**System capability**: SystemCapability.Security.AccessToken 47 48**Parameters** 49 50| Name | Type | Mandatory| Description | 51| -------- | ------------------- | ---- | ------------------------------------------ | 52| tokenID | number | Yes | Application token ID, which can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 53| permissionName | Permissions | Yes | Permission to check. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 54 55**Return value** 56 57| Type | Description | 58| :------------ | :---------------------------------- | 59| Promise<GrantStatus> | Promise used to return the permission grant state.| 60 61**Error codes** 62 63For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 64 65| ID| Error Message| 66| -------- | -------- | 67| 12100001 | The parameter is invalid. The tokenID is 0, or permissionName exceeds 256 bytes.| 68 69**Example** 70 71```ts 72import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 73import { BusinessError } from '@ohos.base'; 74 75let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 76let tokenID: number = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 77try { 78 atManager.checkAccessToken(tokenID, 'ohos.permission.GRANT_SENSITIVE_PERMISSIONS').then((data: abilityAccessCtrl.GrantStatus) => { 79 console.log(`checkAccessToken success, data->${JSON.stringify(data)}`); 80 }).catch((err: BusinessError) => { 81 console.log(`checkAccessToken fail, err->${JSON.stringify(err)}`); 82 }); 83} catch(err) { 84 console.log(`catch err->${JSON.stringify(err)}`); 85} 86``` 87 88### verifyAccessTokenSync<sup>9+</sup> 89 90verifyAccessTokenSync(tokenID: number, permissionName: Permissions): GrantStatus 91 92Verifies whether a permission is granted to an application. This API returns the result synchronously. 93 94**System capability**: SystemCapability.Security.AccessToken 95 96**Parameters** 97 98| Name | Type | Mandatory| Description | 99| -------- | ------------------- | ---- | ------------------------------------------ | 100| tokenID | number | Yes | Application token ID, which can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 101| permissionName | Permissions | Yes | Permission to verify. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 102 103**Return value** 104 105| Type | Description | 106| :------------ | :---------------------------------- | 107| [GrantStatus](#grantstatus) | Permission grant state.| 108 109**Error codes** 110 111For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 112 113| ID| Error Message| 114| -------- | -------- | 115| 12100001 | The parameter is invalid. The tokenID is 0, or permissionName exceeds 256 bytes.| 116 117**Example** 118 119```ts 120import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 121 122let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 123let tokenID: number = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 124let data: abilityAccessCtrl.GrantStatus = atManager.verifyAccessTokenSync(tokenID, 'ohos.permission.GRANT_SENSITIVE_PERMISSIONS'); 125console.log(`data->${JSON.stringify(data)}`); 126``` 127 128### grantUserGrantedPermission 129 130grantUserGrantedPermission(tokenID: number, permissionName: Permissions, permissionFlags: number): Promise<void> 131 132Grants a user_grant permission to an application. This API uses a promise to return the result. 133 134**System API**: This is a system API. 135 136**Required permissions**: ohos.permission.GRANT_SENSITIVE_PERMISSIONS (available only to system applications) 137 138**System capability**: SystemCapability.Security.AccessToken 139 140**Parameters** 141 142| Name | Type | Mandatory| Description | 143| --------- | ------------------- | ---- | ------------------------------------------------------------ | 144| tokenID | number | Yes | Application token ID, which can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 145| permissionName | Permissions | Yes | Permission to grant. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 146| permissionFlags | number | Yes | Permission flag.<br>- **0**: The permission is not set by the user.<br>- **1**: A dialog box for user authorization will be displayed the next time if the user denies authorization for the permission.<br>- **2**: No dialog box will be displayed the next time if the user denies authorization for the permission. The permission must be granted by the user in **Settings**.<br>- **4**: The permission is authorized by the system and cannot be changed.| 147 148**Return value** 149 150| Type | Description | 151| :------------ | :---------------------------------- | 152| Promise<void> | Promise that returns no value.| 153 154**Error codes** 155 156For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 157 158| ID| Error Message| 159| -------- | -------- | 160| 12100001 | The parameter is invalid. The tokenID is 0, the permissionName exceeds 256 bytes, or the flags value is invalid.| 161| 12100002 | The specified tokenID does not exist. | 162| 12100003 | The specified permission does not exist. | 163| 12100006 | The application specified by the tokenID is not allowed to be granted with the specified permission. Either the application is a sandbox or the tokenID is from a remote device. | 164| 12100007 | Service is abnormal. | 165 166**Example** 167 168```ts 169import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 170import { BusinessError } from '@ohos.base'; 171 172let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 173let tokenID: number = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 174let permissionFlags: number = 1; 175try { 176 atManager.grantUserGrantedPermission(tokenID, 'ohos.permission.GRANT_SENSITIVE_PERMISSIONS', permissionFlags).then(() => { 177 console.log('grantUserGrantedPermission success'); 178 }).catch((err: BusinessError) => { 179 console.log(`grantUserGrantedPermission fail, err->${JSON.stringify(err)}`); 180 }); 181} catch(err) { 182 console.log(`catch err->${JSON.stringify(err)}`); 183} 184``` 185 186### grantUserGrantedPermission 187 188grantUserGrantedPermission(tokenID: number, permissionName: Permissions, permissionFlags: number, callback: AsyncCallback<void>): void 189 190Grants a user_grant permission to an application. This API uses an asynchronous callback to return the result. 191 192**System API**: This is a system API. 193 194**Required permissions**: ohos.permission.GRANT_SENSITIVE_PERMISSIONS (available only to system applications) 195 196**System capability**: SystemCapability.Security.AccessToken 197 198**Parameters** 199 200| Name | Type | Mandatory| Description | 201| --------- | ------------------- | ---- | ------------------------------------------------------------ | 202| tokenID | number | Yes | Application token ID, which can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md).| 203| permissionName | Permissions | Yes | Permission to grant. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 204| permissionFlags | number | Yes | Permission flag.<br>- **0**: The permission is not set by the user.<br>- **1**: A dialog box for user authorization will be displayed the next time if the user denies authorization for the permission.<br>- **2**: No dialog box will be displayed the next time if the user denies authorization for the permission. The permission must be granted by the user in **Settings**.<br>- **4**: The permission is authorized by the system and cannot be changed.| 205| callback | AsyncCallback<void> | Yes| Callback invoked to return the result. If the permission is granted, **err** is **undefined**. Otherwise, **err** is an error object.| 206 207**Error codes** 208 209For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 210 211| ID| Error Message| 212| -------- | -------- | 213| 12100001 | The parameter is invalid. The tokenID is 0, the permissionName exceeds 256 bytes, or the flags value is invalid.| 214| 12100002 | The specified tokenID does not exist. | 215| 12100003 | The specified permission does not exist. | 216| 12100006 | The application specified by the tokenID is not allowed to be granted with the specified permission. Either the application is a sandbox or the tokenID is from a remote device. | 217| 12100007 | Service is abnormal. | 218 219**Example** 220 221```ts 222import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 223import { BusinessError } from '@ohos.base'; 224 225let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 226let tokenID: number = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 227let permissionFlags: number = 1; 228try { 229 atManager.grantUserGrantedPermission(tokenID, 'ohos.permission.GRANT_SENSITIVE_PERMISSIONS', permissionFlags, (err: BusinessError, data: void) => { 230 if (err) { 231 console.log(`grantUserGrantedPermission fail, err->${JSON.stringify(err)}`); 232 } else { 233 console.log('grantUserGrantedPermission success'); 234 } 235 }); 236} catch(err) { 237 console.log(`catch err->${JSON.stringify(err)}`); 238} 239``` 240 241### revokeUserGrantedPermission 242 243revokeUserGrantedPermission(tokenID: number, permissionName: Permissions, permissionFlags: number): Promise<void> 244 245Revokes a user_grant permission from an application. This API uses a promise to return the result. 246 247**System API**: This is a system API. 248 249**Required permissions**: ohos.permission.REVOKE_SENSITIVE_PERMISSIONS (available only to system applications) 250 251**System capability**: SystemCapability.Security.AccessToken 252 253**Parameters** 254 255| Name | Type | Mandatory| Description | 256| --------- | ------------------- | ---- | ------------------------------------------------------------ | 257| tokenID | number | Yes | Application token ID, which can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 258| permissionName | Permissions | Yes | Permission to revoke. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 259| permissionFlags | number | Yes | Permission flag.<br>- **0**: The permission is not set by the user.<br>- **1**: A dialog box for user authorization will be displayed the next time if the user denies authorization for the permission.<br>- **2**: No dialog box will be displayed the next time if the user denies authorization for the permission. The permission must be granted by the user in **Settings**.<br>- **4**: The permission is authorized by the system and cannot be changed.| 260 261**Return value** 262 263| Type | Description | 264| :------------ | :---------------------------------- | 265| Promise<void> | Promise that returns no value.| 266 267**Error codes** 268 269For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 270 271| ID| Error Message| 272| -------- | -------- | 273| 12100001 | The parameter is invalid. The tokenID is 0, the permissionName exceeds 256 bytes, or the flags value is invalid.| 274| 12100002 | The specified tokenID does not exist. | 275| 12100003 | The specified permission does not exist. | 276| 12100006 | The application specified by the tokenID is not allowed to be revoked with the specified permission. Either the application is a sandbox or the tokenID is from a remote device. | 277| 12100007 | Service is abnormal. | 278 279**Example** 280 281```ts 282import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 283import { BusinessError } from '@ohos.base'; 284 285let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 286let tokenID: number = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 287let permissionFlags: number = 1; 288try { 289 atManager.revokeUserGrantedPermission(tokenID, 'ohos.permission.GRANT_SENSITIVE_PERMISSIONS', permissionFlags).then(() => { 290 console.log('revokeUserGrantedPermission success'); 291 }).catch((err: BusinessError) => { 292 console.log(`revokeUserGrantedPermission fail, err->${JSON.stringify(err)}`); 293 }); 294} catch(err) { 295 console.log(`catch err->${JSON.stringify(err)}`); 296} 297``` 298 299### revokeUserGrantedPermission 300 301revokeUserGrantedPermission(tokenID: number, permissionName: Permissions, permissionFlags: number, callback: AsyncCallback<void>): void 302 303Revokes a user_grant permission from an application. This API uses an asynchronous callback to return the result. 304 305**System API**: This is a system API. 306 307**Required permissions**: ohos.permission.REVOKE_SENSITIVE_PERMISSIONS (available only to system applications) 308 309**System capability**: SystemCapability.Security.AccessToken 310 311**Parameters** 312 313| Name | Type | Mandatory| Description | 314| --------- | ------------------- | ---- | ------------------------------------------------------------ | 315| tokenID | number | Yes | Application token ID, which can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 316| permissionName | Permissions | Yes | Permission to revoke. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 317| permissionFlags | number | Yes | Permission flag.<br>- **0**: The permission is not set by the user.<br>- **1**: A dialog box for user authorization will be displayed the next time if the user denies authorization for the permission.<br>- **2**: No dialog box will be displayed the next time if the user denies authorization for the permission. The permission must be granted by the user in **Settings**.<br>- **4**: The permission is authorized by the system and cannot be changed.| 318| callback | AsyncCallback<void> | Yes| Callback invoked to return the result. If the permission is revoked, **err** is **undefined**. Otherwise, **err** is an error object.| 319 320**Error codes** 321 322For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 323 324| ID| Error Message| 325| -------- | -------- | 326| 12100001 | The parameter is invalid. The tokenID is 0, the permissionName exceeds 256 bytes, or the flags value is invalid.| 327| 12100002 | The specified tokenID does not exist. | 328| 12100003 | The specified permission does not exist. | 329| 12100006 | The application specified by the tokenID is not allowed to be revoked with the specified permission. Either the application is a sandbox or the tokenID is from a remote device. | 330| 12100007 | Service is abnormal. | 331 332**Example** 333 334```ts 335import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 336import { BusinessError } from '@ohos.base'; 337 338let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 339let tokenID: number = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 340let permissionFlags: number = 1; 341try { 342 atManager.revokeUserGrantedPermission(tokenID, 'ohos.permission.GRANT_SENSITIVE_PERMISSIONS', permissionFlags, (err: BusinessError, data: void) => { 343 if (err) { 344 console.log(`revokeUserGrantedPermission fail, err->${JSON.stringify(err)}`); 345 } else { 346 console.log('revokeUserGrantedPermission success'); 347 } 348 }); 349} catch(err) { 350 console.log(`catch err->${JSON.stringify(err)}`); 351} 352``` 353 354### getPermissionFlags 355 356getPermissionFlags(tokenID: number, permissionName: Permissions): Promise<number> 357 358Obtains the permission flag of an application. This API uses a promise to return the result. 359 360**System API**: This is a system API. 361 362**Required permissions**: ohos.permission.GET_SENSITIVE_PERMISSIONS, ohos.permission.GRANT_SENSITIVE_PERMISSIONS, or ohos.permission.REVOKE_SENSITIVE_PERMISSIONS (available only to system applications) 363 364**System capability**: SystemCapability.Security.AccessToken 365 366**Parameters** 367 368| Name | Type | Mandatory| Description | 369| --------- | ------------------- | ---- | ------------------------------------------------------------ | 370| tokenID | number | Yes | Application token ID, which can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 371| permissionName | Permissions | Yes | Target permission. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 372 373**Return value** 374 375| Type | Description | 376| :------------ | :---------------------------------- | 377| Promise<number> | Promise used to return the permission flag obtained. | 378 379**Error codes** 380 381For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 382 383| ID| Error Message| 384| -------- | -------- | 385| 12100001 | The parameter is invalid. The tokenID is 0, or permissionName exceeds 256 bytes.| 386| 12100002 | The specified tokenID does not exist. | 387| 12100003 | The specified permission does not exist. | 388| 12100006 | The operation is not allowed. Either the application is a sandbox or the tokenID is from a remote device. | 389| 12100007 | Service is abnormal. | 390 391**Example** 392 393```ts 394import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 395import { BusinessError } from '@ohos.base'; 396 397let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 398let tokenID: number = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 399try { 400 atManager.getPermissionFlags(tokenID, 'ohos.permission.GRANT_SENSITIVE_PERMISSIONS').then((data: number) => { 401 console.log(`getPermissionFlags success, data->${JSON.stringify(data)}`); 402 }).catch((err: BusinessError) => { 403 console.log(`getPermissionFlags fail, err->${JSON.stringify(err)}`); 404 }); 405} catch(err) { 406 console.log(`catch err->${JSON.stringify(err)}`); 407} 408``` 409 410### getVersion<sup>9+</sup> 411 412getVersion(): Promise<number> 413 414Obtains the data version of the permission management. This API uses a promise to return the result. 415 416**System API**: This is a system API. 417 418**System capability**: SystemCapability.Security.AccessToken 419 420**Return value** 421 422| Type | Description | 423| :------------ | :---------------------------------- | 424| Promise<number> | Promise used to return the version obtained.| 425 426**Example** 427 428```ts 429import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 430 431let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 432let promise = atManager.getVersion(); 433promise.then((data: number) => { 434 console.log(`promise: data->${JSON.stringify(data)}`); 435}); 436``` 437 438### on<sup>9+</sup> 439 440on(type: 'permissionStateChange', tokenIDList: Array<number>, permissionList: Array<Permissions>, callback: Callback<PermissionStateChangeInfo>): void; 441 442Subscribes to permission state changes of the specified applications and permissions. 443 444Multiple callbacks can be registered for the specified **tokenIDList** and **permissionList**. 445 446If **tokenIDList** and **permissionList** have common values with the **tokenIDList** and **permissionList** of a callback registered, **callback** must be different. 447 448**System API**: This is a system API. 449 450**Required permissions**: ohos.permission.GET_SENSITIVE_PERMISSIONS (available only to system applications) 451 452**System capability**: SystemCapability.Security.AccessToken 453 454**Parameters** 455 456| Name | Type | Mandatory| Description | 457| ------------------ | --------------------- | ---- | ------------------------------------------------------------ | 458| type | string | Yes | Event type. The value is **'permissionStateChange'**, which indicates the permission grant state change event. | 459| tokenIDList | Array<number> | Yes | List of application token IDs to observe. If this parameter is left empty, the permission grant state changes of all applications will be subscribed to. | 460| permissionList | Array<Permissions> | Yes | List of permissions. If this parameter is left empty, the grant state changes of all permissions will be subscribed to. | 461| callback | Callback<[PermissionStateChangeInfo](#permissionstatechangeinfo9)> | Yes| Callback invoked to return the permission grant state change.| 462 463**Error codes** 464 465For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 466 467| ID| Error Message| 468| -------- | -------- | 469| 12100001 | The parameter is invalid. The tokenID is 0, or permissionName exceeds 256 bytes.| 470| 12100004 | The interface is called repeatedly with the same input. | 471| 12100005 | The registration time has exceeded the limitation. | 472| 12100007 | Service is abnormal. | 473| 12100008 | Out of memory. | 474 475**Example** 476 477```ts 478import abilityAccessCtrl, { Permissions } from '@ohos.abilityAccessCtrl'; 479import bundleManager from '@ohos.bundle.bundleManager'; 480 481let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 482let appInfo: bundleManager.ApplicationInfo = bundleManager.getApplicationInfoSync('com.example.myapplication', 0, 100); 483let tokenIDList: Array<number> = [appInfo.accessTokenId]; 484let permissionList: Array<Permissions> = ['ohos.permission.DISTRIBUTED_DATASYNC']; 485try { 486 atManager.on('permissionStateChange', tokenIDList, permissionList, (data: abilityAccessCtrl.PermissionStateChangeInfo) => { 487 console.debug('receive permission state change, data:' + JSON.stringify(data)); 488 }); 489} catch(err) { 490 console.log(`catch err->${JSON.stringify(err)}`); 491} 492``` 493 494### off<sup>9+</sup> 495 496off(type: 'permissionStateChange', tokenIDList: Array<number>, permissionList: Array<Permissions>, callback?: Callback<PermissionStateChangeInfo>): void; 497 498Unsubscribes from permission grant state changes of the specified applications and permissions. This API uses a callback to return the result. 499 500If no callback is passed in **atManager.off**, all callbacks for **tokenIDList** and **permissionList** will be unregistered. 501 502**System API**: This is a system API. 503 504**Required permissions**: ohos.permission.GET_SENSITIVE_PERMISSIONS (available only to system applications) 505 506**System capability**: SystemCapability.Security.AccessToken 507 508**Parameters** 509 510| Name | Type | Mandatory| Description | 511| ------------------ | --------------------- | ---- | ------------------------------------------------------------ | 512| type | string | Yes | Event type. The value is **'permissionStateChange'**, which indicates the permission grant state change event. | 513| tokenIDList | Array<number> | Yes | List of application token IDs. If this parameter is left empty, the permission grant state changes of all applications will be unsubscribed from. The value must be the same as that passed in **on()**.| 514| permissionList | Array<Permissions> | Yes | List of permissions. If this parameter is left empty, the grant state changes of all permissions will be unsubscribed from. The value must be the same as that passed in **on()**.| 515| callback | Callback<[PermissionStateChangeInfo](#permissionstatechangeinfo9)> | No| Callback for the permission grant state change.| 516 517**Error codes** 518 519For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 520 521| ID| Error Message| 522| -------- | -------- | 523| 12100001 | The parameter is invalid. The tokenIDs or permissionNames in the list are all invalid. | 524| 12100004 | The interface is not used together with 'on'. | 525| 12100007 | Service is abnormal. | 526| 12100008 | Out of memory. | 527 528**Example** 529 530```ts 531import abilityAccessCtrl, { Permissions } from '@ohos.abilityAccessCtrl'; 532import bundleManager from '@ohos.bundle.bundleManager'; 533 534let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 535let appInfo: bundleManager.ApplicationInfo = bundleManager.getApplicationInfoSync('com.example.myapplication', 0, 100); 536let tokenIDList: Array<number> = [appInfo.accessTokenId]; 537let permissionList: Array<Permissions> = ['ohos.permission.DISTRIBUTED_DATASYNC']; 538try { 539 atManager.off('permissionStateChange', tokenIDList, permissionList); 540} catch(err) { 541 console.log(`catch err->${JSON.stringify(err)}`); 542} 543``` 544 545### verifyAccessToken<sup>9+</sup> 546 547verifyAccessToken(tokenID: number, permissionName: Permissions): Promise<GrantStatus> 548 549Verifies whether a permission is granted to an application. This API uses a promise to return the result. 550 551> **NOTE** 552> 553> You are advised to use [checkAccessToken](#checkaccesstoken9). 554 555**System capability**: SystemCapability.Security.AccessToken 556 557**Parameters** 558 559| Name | Type | Mandatory| Description | 560| -------- | ------------------- | ---- | ------------------------------------------ | 561| tokenID | number | Yes | Application token ID, which can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 562| permissionName | Permissions | Yes | Permission to verify. For details about the permissions, see the [Application Permission List](../../security/permission-list.md). | 563 564**Return value** 565 566| Type | Description | 567| :------------ | :---------------------------------- | 568| Promise<GrantStatus> | Promise used to return the permission grant state.| 569 570**Example** 571 572```ts 573import abilityAccessCtrl, { Permissions } from '@ohos.abilityAccessCtrl'; 574import { BusinessError } from '@ohos.base'; 575 576let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 577let tokenID: number = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 578let permissionName: Permissions = 'ohos.permission.GRANT_SENSITIVE_PERMISSIONS'; 579try { 580 atManager.verifyAccessToken(tokenID, permissionName).then((data: abilityAccessCtrl.GrantStatus) => { 581 console.log(`promise: data->${JSON.stringify(data)}`); 582 }).catch((err: BusinessError) => { 583 console.log(`verifyAccessToken fail, err->${JSON.stringify(err)}`); 584 }); 585}catch(err) { 586 console.log(`catch err->${JSON.stringify(err)}`); 587} 588``` 589 590### requestPermissionsFromUser<sup>9+</sup> 591 592requestPermissionsFromUser(context: Context, permissionList: Array<Permissions>, requestCallback: AsyncCallback<PermissionRequestResult>) : void; 593 594Requests user authorization in a dialog box opened by a UIAbility. This API uses an asynchronous callback to return the result. 595> **NOTE** 596> 597> The API cannot be called by any non-UIAbility. 598 599**Model restriction**: This API can be used only in the stage model. 600 601**System capability**: SystemCapability.Security.AccessToken 602 603**Parameters** 604 605| Name| Type| Mandatory| Description| 606| -------- | -------- | -------- | -------- | 607| context | Context | Yes| Context of the UIAbility.| 608| permissionList | Array<Permissions> | Yes| Permissions requested. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 609| callback | AsyncCallback<[PermissionRequestResult](js-apis-permissionrequestresult.md)> | Yes| Callback invoked to return the result.| 610 611**Error codes** 612 613For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 614 615| ID| Error Message| 616| -------- | -------- | 617| 12100001 | The parameter is invalid. The context is invalid when it does not belong to the application itself. | 618 619**Example** 620 621The ArkTS syntax does not support direct use of **globalThis**. A singleton map is required to enable the use of **globalThis**. You need to perform the following operations: 622 623 a. Import the created singleton object **GlobalThis** to **EntryAbility.ets**. 624 ```ts 625 import {GlobalThis} from '../utils/globalThis'; // Set it based on the path of globalThis.ets. 626 ``` 627 b. Add the following to **onCreate**: 628 ```ts 629 GlobalThis.getInstance().setContext('context', this.context); 630 ``` 631 632 > **NOTE** 633 > 634 > An alert will be generated when a **.ets** file is imported to a TS file. To prevent the alert, you need to change the file name extension of **EntryAbility.ts** to **EntryAbility.ets** and modify the file name extension in **module.json5**. 635 636The sample code of **globalThis.ets** is as follows: 637```ts 638import { Context } from '@ohos.abilityAccessCtrl'; 639 640// Construct a singleton object. 641export class GlobalThis { 642 private constructor() {} 643 private static instance: GlobalThis; 644 private _uiContexts = new Map<string, Context>(); 645 646 public static getInstance(): GlobalThis { 647 if (!GlobalThis.instance) { 648 GlobalThis.instance = new GlobalThis(); 649 } 650 return GlobalThis.instance; 651 } 652 653 getContext(key: string): Context | undefined { 654 return this._uiContexts.get(key); 655 } 656 657 setContext(key: string, value: Context): void { 658 this._uiContexts.set(key, value); 659 } 660 661 // Set other content in the same way. 662} 663``` 664 665```ts 666import abilityAccessCtrl, { Context, PermissionRequestResult } from '@ohos.abilityAccessCtrl'; 667import { BusinessError } from '@ohos.base'; 668import common from '@ohos.app.ability.common'; 669import { GlobalThis } from '../utils/globalThis'; 670 671let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 672try { 673 let context: Context = GlobalThis.getInstance().getContext('context'); 674 atManager.requestPermissionsFromUser(context, ['ohos.permission.CAMERA'], (err: BusinessError, data: PermissionRequestResult)=>{ 675 console.info('data:' + JSON.stringify(data)); 676 console.info('data permissions:' + data.permissions); 677 console.info('data authResults:' + data.authResults); 678 }); 679} catch(err) { 680 console.log(`catch err->${JSON.stringify(err)}`); 681} 682``` 683 684### requestPermissionsFromUser<sup>9+</sup> 685 686requestPermissionsFromUser(context: Context, permissionList: Array<Permissions>) : Promise<PermissionRequestResult>; 687 688Requests user authorization in a dialog box opened by a UIAbility. This API uses a promise to return the result. 689 690> **NOTE** 691> 692> The API cannot be called by any non-UIAbility. 693 694**Model restriction**: This API can be used only in the stage model. 695 696**System capability**: SystemCapability.Security.AccessToken 697 698**Parameters** 699 700| Name| Type| Mandatory| Description| 701| -------- | -------- | -------- | -------- | 702| context | Context | Yes| Context of the UIAbility.| 703| permissionList | Array<Permissions> | Yes| Permissions requested. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 704 705**Return value** 706 707| Type| Description| 708| -------- | -------- | 709| Promise<[PermissionRequestResult](js-apis-permissionrequestresult.md)> | Promise used to return the result.| 710 711**Error codes** 712 713For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 714 715| ID| Error Message| 716| -------- | -------- | 717| 12100001 | The parameter is invalid. The context is invalid when it does not belong to the application itself. | 718 719**Example** 720 721The procedure for modifying **EntryAbility.ets** and importing **GlobalThis** is the same as the preceding procedure, and omitted here. 722 723```ts 724import abilityAccessCtrl, { Context, PermissionRequestResult } from '@ohos.abilityAccessCtrl'; 725import { BusinessError } from '@ohos.base'; 726import { GlobalThis } from '../utils/globalThis'; 727 728let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 729try { 730 let context: Context = GlobalThis.getInstance().getContext('context'); 731 atManager.requestPermissionsFromUser(context, ['ohos.permission.CAMERA']).then((data: PermissionRequestResult) => { 732 console.info('data:' + JSON.stringify(data)); 733 console.info('data permissions:' + data.permissions); 734 console.info('data authResults:' + data.authResults); 735 }).catch((err: BusinessError) => { 736 console.info('data:' + JSON.stringify(err)); 737 }) 738} catch(err) { 739 console.log(`catch err->${JSON.stringify(err)}`); 740} 741``` 742 743### verifyAccessToken<sup>(deprecated)</sup> 744 745verifyAccessToken(tokenID: number, permissionName: string): Promise<GrantStatus> 746 747Verifies whether a permission is granted to an application. This API uses a promise to return the result. 748 749> **NOTE** 750> 751> This API is no longer maintained since API version 9. You are advised to use [checkAccessToken](#checkaccesstoken9). 752 753**System capability**: SystemCapability.Security.AccessToken 754 755**Parameters** 756 757| Name | Type | Mandatory| Description | 758| -------- | ------------------- | ---- | ------------------------------------------ | 759| tokenID | number | Yes | Application token ID, which can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 760| permissionName | string | Yes | Permission to verify.| 761 762**Return value** 763 764| Type | Description | 765| :------------ | :---------------------------------- | 766| Promise<GrantStatus> | Promise used to return the permission grant state.| 767 768**Example** 769 770```ts 771import abilityAccessCtrl from '@ohos.abilityAccessCtrl'; 772import { BusinessError } from '@ohos.base'; 773 774let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 775let tokenID: number = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 776try { 777 atManager.verifyAccessToken(tokenID, 'ohos.permission.GRANT_SENSITIVE_PERMISSIONS').then((data: abilityAccessCtrl.GrantStatus) => { 778 console.log(`promise: data->${JSON.stringify(data)}`); 779 }).catch((err: BusinessError) => { 780 console.log(`verifyAccessToken fail, err->${JSON.stringify(err)}`); 781 }); 782}catch(err) { 783 console.log(`catch err->${JSON.stringify(err)}`); 784} 785``` 786 787### checkAccessTokenSync<sup>10+</sup> 788 789checkAccessTokenSync(tokenID: number, permissionName: Permissions): GrantStatus; 790 791Checks whether a permission is granted to an application. This API returns the result synchronously. 792 793**System capability**: SystemCapability.Security.AccessToken 794 795**Parameters** 796 797| Name | Type | Mandatory| Description | 798| -------- | ------------------- | ---- | ------------------------------------------ | 799| tokenID | number | Yes | Application token ID, which can be obtained from [ApplicationInfo](js-apis-bundleManager-applicationInfo.md). | 800| permissionName | Permissions | Yes | Permission to check. For details about the permissions, see the [Application Permission List](../../security/permission-list.md).| 801 802**Return value** 803 804| Type | Description | 805| :------------ | :---------------------------------- | 806| [GrantStatus](#grantstatus) | Permission grant state.| 807 808**Error codes** 809 810For details about the error codes, see [Application Access Control Error Codes](../errorcodes/errorcode-access-token.md). 811 812| ID| Error Message| 813| -------- | -------- | 814| 12100001 | The parameter is invalid. The tokenID is 0, or permissionName exceeds 256 bytes.| 815 816**Example** 817 818```ts 819import abilityAccessCtrl, { Permissions } from '@ohos.abilityAccessCtrl'; 820 821let atManager: abilityAccessCtrl.AtManager = abilityAccessCtrl.createAtManager(); 822let tokenID: number = 0; // Use bundleManager.getApplicationInfo() to obtain the token ID for a system application, and use bundleManager.getBundleInfoForSelf() to obtain the token ID for a non-system application. 823let permissionName: Permissions = 'ohos.permission.GRANT_SENSITIVE_PERMISSIONS'; 824let data: abilityAccessCtrl.GrantStatus = atManager.checkAccessTokenSync(tokenID, permissionName); 825console.log(`data->${JSON.stringify(data)}`); 826``` 827 828### GrantStatus 829 830Enumerates the permission grant states. 831 832**System capability**: SystemCapability.Security.AccessToken 833 834| Name | Value| Description | 835| ------------------ | ----- | ----------- | 836| PERMISSION_DENIED | -1 | Permission denied.| 837| PERMISSION_GRANTED | 0 | Permission granted.| 838 839### PermissionStateChangeType<sup>9+</sup> 840 841Enumerates the operations that trigger permission grant state changes. 842 843**System API**: This is a system API. 844 845**System capability**: SystemCapability.Security.AccessToken 846 847| Name | Value| Description | 848| ----------------------- | ------ | ----------------- | 849| PERMISSION_REVOKED_OPER | 0 | Operation to revoke the permission.| 850| PERMISSION_GRANTED_OPER | 1 | Operation to grant the permission.| 851 852### PermissionStateChangeInfo<sup>9+</sup> 853 854Defines detailed information about the permission grant state change. 855 856**System API**: This is a system API. 857 858**System capability**: SystemCapability.Security.AccessToken 859 860| Name | Type | Readable| Writable| Description | 861| -------------- | ------------------------- | ---- | ---- | ------------------ | 862| change | [PermissionStateChangeType](#permissionstatechangetype9) | Yes | No | Operation that triggers the permission grant state change. | 863| tokenID | number | Yes | No | Application token ID.| 864| permissionName | Permissions | Yes | No | Permission whose grant state changes. For details about the permissions, see the [Application Permission List](../../security/permission-list.md). | 865