1fc0b0055Sopenharmony_ci# ATM 2fc0b0055Sopenharmony_ci 3fc0b0055Sopenharmony_ci 4fc0b0055Sopenharmony_ci## Introduction 5fc0b0055Sopenharmony_ci 6fc0b0055Sopenharmony_ciAccessTokenManager (ATM) implements unified app permission management based on access tokens on OpenHarmony. 7fc0b0055Sopenharmony_ci 8fc0b0055Sopenharmony_ciThe access token information of an app includes the app identifier (**APPID**), user ID, app twin index, app Ability Privilege Level (APL), and permission information. The access token of each app is identified by a 32-bit token identity (**TokenID**) in the device. 9fc0b0055Sopenharmony_ci 10fc0b0055Sopenharmony_ciThe ATM module provides the following functions: 11fc0b0055Sopenharmony_ci- Verifying app permissions based on the token ID before an app accesses sensitive data or calls an API. 12fc0b0055Sopenharmony_ci- Obtaining access token information (for example, APL) based on the token ID. 13fc0b0055Sopenharmony_ci 14fc0b0055Sopenharmony_ciThe following figure shows the ATM architecture. 15fc0b0055Sopenharmony_ci 16fc0b0055Sopenharmony_ci 17fc0b0055Sopenharmony_ci## Directory Structure 18fc0b0055Sopenharmony_ci 19fc0b0055Sopenharmony_ci``` 20fc0b0055Sopenharmony_ci/base/security/access_token 21fc0b0055Sopenharmony_ci├── frameworks # Code of basic functionalities. 22fc0b0055Sopenharmony_ci│ ├── accesstoken # Code of the ATM framework. 23fc0b0055Sopenharmony_ci│ ├── common # Common code. 24fc0b0055Sopenharmony_ci│ ├── privacy # Code of the privacy framework. 25fc0b0055Sopenharmony_ci│ └── tokensync # Code of the access token synchronization framework. 26fc0b0055Sopenharmony_ci├── interfaces # Interfaces 27fc0b0055Sopenharmony_ci│ ├── innerkits # Internal interfaces. 28fc0b0055Sopenharmony_ci│ │ ├── accesstoken # Code of the internal access token interfaces. 29fc0b0055Sopenharmony_ci│ │ ├── nativetoken # Code of the internal native token interfaces. 30fc0b0055Sopenharmony_ci│ │ ├── privacy # Code of the internal privacy interfaces. 31fc0b0055Sopenharmony_ci│ │ ├── token_callback # Code of the internal callbacks. 32fc0b0055Sopenharmony_ci│ │ ├── token_setproc # Code of internal interfaces for exchanging token IDs. 33fc0b0055Sopenharmony_ci│ │ └── tokensync # Code of the internal access token synchronization interfaces. 34fc0b0055Sopenharmony_ci│ └── kits # External interfaces. 35fc0b0055Sopenharmony_ci│ │ ├── accesstoken # Code of the external access token interfaces. 36fc0b0055Sopenharmony_ci│ │ ├── common # Common code of external interfaces. 37fc0b0055Sopenharmony_ci│ │ └── privacy # Code of the external privacy interfaces. 38fc0b0055Sopenharmony_ci└── services # Services 39fc0b0055Sopenharmony_ci ├── accesstokenmanager # ATM service code. 40fc0b0055Sopenharmony_ci ├── privacymanager # Privacy manager service code. 41fc0b0055Sopenharmony_ci └── tokensyncmanager # Code of the access token synchronization service. 42fc0b0055Sopenharmony_ci 43fc0b0055Sopenharmony_ci``` 44fc0b0055Sopenharmony_ci 45fc0b0055Sopenharmony_ci## Usage 46fc0b0055Sopenharmony_ci### Available APIs 47fc0b0055Sopenharmony_ci 48fc0b0055Sopenharmony_ci| **API**| **Description**| 49fc0b0055Sopenharmony_ci| --- | --- | 50fc0b0055Sopenharmony_ci| AccessTokenIDEx AllocHapToken(const HapInfoParams& info, const HapPolicyParams& policy); | Allocates a token ID to an app.| 51fc0b0055Sopenharmony_ci| AccessTokenID AllocLocalTokenID(const std::string& remoteDeviceID, AccessTokenID remoteTokenID); | Allocates a local token ID to the app of a remote device.| 52fc0b0055Sopenharmony_ci| int UpdateHapToken(AccessTokenIDEx& tokenIdEx, bool isSystemApp, const std::string& appIDDesc, int32_t apiVersion, const HapPolicyParams& policy); | Updates token information.| 53fc0b0055Sopenharmony_ci| int DeleteToken(AccessTokenID tokenID); | Deletes the app's token ID and information.| 54fc0b0055Sopenharmony_ci| int GetTokenType(AccessTokenID tokenID); | Obtains the type of an access token.| 55fc0b0055Sopenharmony_ci| int GetTokenTypeFlag(AccessTokenID tokenID); | Obtains the type of a trusted token ID.| 56fc0b0055Sopenharmony_ci| int GetTokenType(FullTokenID tokenID); | Obtains the type of an access token.| 57fc0b0055Sopenharmony_ci| int GetTokenTypeFlag(FullTokenID tokenID); | Obtains the type of a trusted token ID.| 58fc0b0055Sopenharmony_ci| AccessTokenID GetHapTokenID(int32_t userID, const std::string& bundleName, int32_t instIndex); | Obtains the token ID of an app.| 59fc0b0055Sopenharmony_ci| AccessTokenIDEx GetHapTokenIDEx(int32_t userID, const std::string& bundleName, int32_t instIndex); | Obtains the token ID of an app.| 60fc0b0055Sopenharmony_ci| int GetHapTokenInfo(AccessTokenID tokenID, HapTokenInfo& hapTokenInfoRes); | Obtains the token information about an OpenHarmony Ability Package (HAP).| 61fc0b0055Sopenharmony_ci| int GetNativeTokenInfo(AccessTokenID tokenID, NativeTokenInfo& nativeTokenInfoRes); | Obtains the native token information.| 62fc0b0055Sopenharmony_ci| int VerifyAccessToken(AccessTokenID tokenID, const std::string& permissionName); | Checks whether an access token has the specified permission.| 63fc0b0055Sopenharmony_ci| int GetDefPermission(const std::string& permissionName, PermissionDef& permissionDefResult); | Obtains definition information about the specified permission.| 64fc0b0055Sopenharmony_ci| int GetDefPermissions(AccessTokenID tokenID, std::vector<PermissionDef>& permList); | Obtains the permission definition set of a HAP.| 65fc0b0055Sopenharmony_ci| int GetReqPermissions(AccessTokenID tokenID, std::vector<PermissionStateFull>& reqPermList, bool isSystemGrant); | Obtains the status set of the permission requested by a HAP.| 66fc0b0055Sopenharmony_ci| int GetPermissionFlag(AccessTokenID tokenID, const std::string& permissionName); | Obtains the permissions of the app with the specified token ID.| 67fc0b0055Sopenharmony_ci| int GrantPermission(AccessTokenID tokenID, const std::string& permissionName, int flag); | Grants a permission to the app with the specified token ID.| 68fc0b0055Sopenharmony_ci| int RevokePermission(AccessTokenID tokenID, const std::string& permissionName, int flag); | Revokes a permission from the app with the specified token ID.| 69fc0b0055Sopenharmony_ci| int ClearUserGrantedPermissionState(AccessTokenID tokenID); | Clears the user_grant permission status of the app with the specified token ID.| 70fc0b0055Sopenharmony_ci| uint64_t GetAccessTokenId(const char *processname, const char **dcap, int32_t dacpNum, const char *aplStr); | Obtains the token ID of a native process.| 71fc0b0055Sopenharmony_ci 72fc0b0055Sopenharmony_ci### How to Use 73fc0b0055Sopenharmony_ciATM provides unified access control for apps and allows apps or service abilities to obtain and verify app permissions and APL. The ATM APIs can be called by a service ability started by a native process or an app HAP. 74fc0b0055Sopenharmony_ci 75fc0b0055Sopenharmony_ci#### Native Process 76fc0b0055Sopenharmony_ci- Before a native process starts, it calls **GetAccessTokenId** to obtain a token ID, and then calls **SetSelfTokenID** to set the token ID to the kernel. 77fc0b0055Sopenharmony_ci 78fc0b0055Sopenharmony_ci#### App HAP 79fc0b0055Sopenharmony_ci- When an app is installed, **AllocHapToken** is called to obtain the token ID of the app. 80fc0b0055Sopenharmony_ci- When an authentication is required during app running, **VerifyAccessToken** or **GetReqPermissions** is called to obtain and verify the app permissions and APL. 81fc0b0055Sopenharmony_ci- When an app is uninstalled, **DeleteToken** is called to delete the related access token information. 82fc0b0055Sopenharmony_ci 83fc0b0055Sopenharmony_ci## Repositories Involved 84fc0b0055Sopenharmony_ci 85fc0b0055Sopenharmony_ci[startup\_init\_lite](https://gitee.com/openharmony/startup_init_lite) 86fc0b0055Sopenharmony_ci 87fc0b0055Sopenharmony_ci[security\_device\_auth](https://gitee.com/openharmony/security_device_auth) 88fc0b0055Sopenharmony_ci 89fc0b0055Sopenharmony_ci**[security\_access\_token](https://gitee.com/openharmony/security_access_token)** 90
