1e41f4b71Sopenharmony_ci# Application Privilege Configuration 2e41f4b71Sopenharmony_ci 3e41f4b71Sopenharmony_ciApplication privileges are high-level capabilities of an application, for example, restricting an application from being uninstalled or restricting application data from being deleted. 4e41f4b71Sopenharmony_ci 5e41f4b71Sopenharmony_ciOpenHarmony provides both general and device-specific application privileges. The latter can be configured by device vendors for applications on different devices. The privileges configured in the **install_list_capability.json** file take precedence over the privileges configured in the signing certificate. 6e41f4b71Sopenharmony_ci 7e41f4b71Sopenharmony_ci> **NOTE** 8e41f4b71Sopenharmony_ci> - To avoid user dissatisfaction or even infringement, do not abuse application privileges. 9e41f4b71Sopenharmony_ci> - Modifying the application privileges in its profile applies only to the applications or services in debug mode. For a commercial application, apply for a release certificate and profile in the corresponding application market. 10e41f4b71Sopenharmony_ci 11e41f4b71Sopenharmony_ci## General Application Privileges 12e41f4b71Sopenharmony_ci 13e41f4b71Sopenharmony_ci### Introduction 14e41f4b71Sopenharmony_ci 15e41f4b71Sopenharmony_ciGeneral application privileges are privileges available to applications on all types of devices. The following table lists the general application privileges. 16e41f4b71Sopenharmony_ci 17e41f4b71Sopenharmony_ci| Privilege| Description | 18e41f4b71Sopenharmony_ci| ---------------- | ------------------------------------------------------------ | 19e41f4b71Sopenharmony_ci| AllowAppDataNotCleared | Prevents deletion of application data.| 20e41f4b71Sopenharmony_ci| AllowAppDesktopIconHide | Allows the application icon to be hidden from the home screen.| 21e41f4b71Sopenharmony_ci| AllowAbilityPriorityQueried | Allows the ability priority to be queried. | 22e41f4b71Sopenharmony_ci| AllowAbilityExcludeFromMissions | Allows an ability to be hidden in the mission stack.| 23e41f4b71Sopenharmony_ci| AllowAppShareLibrary | Allows an ability to provide the HSP capability for other applications.| 24e41f4b71Sopenharmony_ci| AllowMissionNotCleared | Prevents the mission from being cleared.| 25e41f4b71Sopenharmony_ci 26e41f4b71Sopenharmony_ci### How to Configure 27e41f4b71Sopenharmony_ci 28e41f4b71Sopenharmony_ci1. In the [**HarmonyAppProvision** file](../../application-dev/security/app-provision-structure.md), set the general application privileges in the **app-privilege-capabilities** field. 29e41f4b71Sopenharmony_ci2. Use the hapsigner tool to sign the [**HarmonyAppProvision** file](../../application-dev/security/app-provision-structure.md) to generate a .p7b file. 30e41f4b71Sopenharmony_ci3. Use the .p7b file to sign the HAP. 31e41f4b71Sopenharmony_ci 32e41f4b71Sopenharmony_ciReference: [hapsigner](https://gitee.com/openharmony/developtools_hapsigner#README.md) 33e41f4b71Sopenharmony_ci 34e41f4b71Sopenharmony_ci### Example 35e41f4b71Sopenharmony_ci 36e41f4b71Sopenharmony_ci```json 37e41f4b71Sopenharmony_ci{ 38e41f4b71Sopenharmony_ci "version-name": "1.0.0", 39e41f4b71Sopenharmony_ci ... 40e41f4b71Sopenharmony_ci "bundle-info": { 41e41f4b71Sopenharmony_ci "developer-id": "OpenHarmony", 42e41f4b71Sopenharmony_ci ... 43e41f4b71Sopenharmony_ci }, 44e41f4b71Sopenharmony_ci "issuer": "pki_internal", 45e41f4b71Sopenharmony_ci "app-privilege-capabilities": ["AllowAppDataNotCleared", "AllowAppDesktopIconHide"] // The application data cannot be deleted, and the application icon can be hidden on the home screen. 46e41f4b71Sopenharmony_ci} 47e41f4b71Sopenharmony_ci``` 48e41f4b71Sopenharmony_ci 49e41f4b71Sopenharmony_ci## Device-specific Application Privileges 50e41f4b71Sopenharmony_ci 51e41f4b71Sopenharmony_ci### Introduction 52e41f4b71Sopenharmony_ci 53e41f4b71Sopenharmony_ciIn addition to general application privileges, device vendors can define device-specific privileges for an application, as described in the table below. 54e41f4b71Sopenharmony_ci 55e41f4b71Sopenharmony_ci| Privilege | Type | Default Value| Description | 56e41f4b71Sopenharmony_ci| --------------------- | -------- | ------ | ------------------------------------------------- | 57e41f4b71Sopenharmony_ci| removable | bool | true | Allows an application to be uninstalled. This privilege takes effect only for preset applications. | 58e41f4b71Sopenharmony_ci| keepAlive | bool | false | Allows an application to keep running in the background. | 59e41f4b71Sopenharmony_ci| singleton | bool | false | Allows an application to be installed for a single user (user 0). | 60e41f4b71Sopenharmony_ci| allowCommonEvent | string[] | - | Allows an application to be started by a static broadcast. | 61e41f4b71Sopenharmony_ci| associatedWakeUp | bool | false | Allows an application in the FA model to be woken up by an associated application. | 62e41f4b71Sopenharmony_ci| runningResourcesApply | bool | false | Allows an application to request running resources, such as the CPU, event notifications, and Bluetooth.| 63e41f4b71Sopenharmony_ci| allowAppDataNotCleared | bool | false|Prevents deletion of application data.| 64e41f4b71Sopenharmony_ci| allowAppMultiProcess | bool | false| Allows multiple instances for an application.| 65e41f4b71Sopenharmony_ci| allowAppDesktopIconHide | bool | false| Allows the application icon to be hidden from the home screen.| 66e41f4b71Sopenharmony_ci| allowAbilityPriorityQueried | bool | false| Allows the ability priority to be queried. | 67e41f4b71Sopenharmony_ci| allowAbilityExcludeFromMissions | bool | false| Allows an ability to be hidden in the mission stack.| 68e41f4b71Sopenharmony_ci| allowAppUsePrivilegeExtension | bool | false|Allows an application to use ServiceExtension and DataExtension abilities.| 69e41f4b71Sopenharmony_ci| allowFormVisibleNotify | bool | false| Allows a widget to be visible on the home screen.| 70e41f4b71Sopenharmony_ci| allowAppShareLibrary | bool | false | Allows an ability to provide the HSP capability for other applications.| 71e41f4b71Sopenharmony_ci| allowMissionNotCleared | bool | false | Prevents the mission from being cleared.| 72e41f4b71Sopenharmony_ci 73e41f4b71Sopenharmony_ci### How to Configure 74e41f4b71Sopenharmony_ci 75e41f4b71Sopenharmony_ciConfigure the required privileges in the [configuration file](https://gitee.com/openharmony/vendor_hihope/tree/master/rk3568/preinstall-config). 76e41f4b71Sopenharmony_ci 77e41f4b71Sopenharmony_ci### Example 78e41f4b71Sopenharmony_ci 79e41f4b71Sopenharmony_ci#### Configuration in install_list_capability.json 80e41f4b71Sopenharmony_ci 81e41f4b71Sopenharmony_ci```json 82e41f4b71Sopenharmony_ci{ 83e41f4b71Sopenharmony_ci "install_list": [ 84e41f4b71Sopenharmony_ci { 85e41f4b71Sopenharmony_ci "bundleName": "com.example.kikakeyboard", 86e41f4b71Sopenharmony_ci "singleton": true, // The application is installed for a single user. 87e41f4b71Sopenharmony_ci "keepAlive": true, // The application can keep running in the background. 88e41f4b71Sopenharmony_ci "runningResourcesApply": true, // The application can apply for running resources such as the CPU, event notifications, and Bluetooth. 89e41f4b71Sopenharmony_ci "associatedWakeUp": true, // The application in the FA model can be woken up by an associated application. 90e41f4b71Sopenharmony_ci "app_signature": ["****"], // The setting takes effect only when the configured certificate fingerprint is the same as the HAP certificate fingerprint. 91e41f4b71Sopenharmony_ci "allowCommonEvent": ["usual.event.SCREEN_ON", "usual.event.THERMAL_LEVEL_CHANGED"] 92e41f4b71Sopenharmony_ci "allowAppDataNotCleared": true, // The application data cannot be deleted. 93e41f4b71Sopenharmony_ci "allowAppMultiProcess": true, // Allow multiple instances for the application. 94e41f4b71Sopenharmony_ci "allowAppDesktopIconHide": true, // The application icon can be hidden from the home screen. 95e41f4b71Sopenharmony_ci "allowAbilityPriorityQueried": true, // The ability priority can be queried. 96e41f4b71Sopenharmony_ci "allowAbilityExcludeFromMissions": true,// Allow the ability to be excluded from the mission stack. 97e41f4b71Sopenharmony_ci "allowAppUsePrivilegeExtension": true, // The application can use ServiceExtension and DataExtension abilities. 98e41f4b71Sopenharmony_ci "allowFormVisibleNotify": true // The widget is visible on the home screen. 99e41f4b71Sopenharmony_ci "allowAppShareLibrary": true // Allow the application to provide the inter-application HSP capability. 100e41f4b71Sopenharmony_ci "allowMissionNotCleared": true // The mission cannot be cleared. 101e41f4b71Sopenharmony_ci }, 102e41f4b71Sopenharmony_ci} 103e41f4b71Sopenharmony_ci``` 104e41f4b71Sopenharmony_ci 105e41f4b71Sopenharmony_ci**Obtaining the Certificate Fingerprint** 106e41f4b71Sopenharmony_ci 107e41f4b71Sopenharmony_ci1. Create the **profile.cer** file, and copy the certificate content under the **distribution-certificate** field of the [**HarmonyAppProvision** file](../../application-dev/security/app-provision-structure.md) to the **profile.cer** file. 108e41f4b71Sopenharmony_ci 109e41f4b71Sopenharmony_ci ```json 110e41f4b71Sopenharmony_ci { 111e41f4b71Sopenharmony_ci ... 112e41f4b71Sopenharmony_ci "bundle-info": { 113e41f4b71Sopenharmony_ci "distribution-certificate": "-----BEGIN CERTIFICATE----\nMIICMzCCAbegAwIBAgIEaOC/zDAMBggqhkjOPQQDAwUAMk..." / Certificate content. 114e41f4b71Sopenharmony_ci ... 115e41f4b71Sopenharmony_ci } 116e41f4b71Sopenharmony_ci ... 117e41f4b71Sopenharmony_ci } 118e41f4b71Sopenharmony_ci ``` 119e41f4b71Sopenharmony_ci 120e41f4b71Sopenharmony_ci2. Apply line breaks in the **profile.cer** content and remove the newline characters. 121e41f4b71Sopenharmony_ci ``` 122e41f4b71Sopenharmony_ci -----BEGIN CERTIFICATE----- 123e41f4b71Sopenharmony_ci MIICMzCCAbegAwIBAgIEaOC/zDAMBggqhkjOPQQDAwUAMGMxCzAJBgNVBAYTAkNO 124e41f4b71Sopenharmony_ci MRQwEgYDVQQKEwtPcGVuSGFybW9ueTEZMBcGA1UECxMQT3Blbkhhcm1vbnkgVGVh 125e41f4b71Sopenharmony_ci bTEjMCEGA1UEAxMaT3Blbkhhcm1vbnkgQXBwbGljYXRpb24gQ0EwHhcNMjEwMjAy 126e41f4b71Sopenharmony_ci MTIxOTMxWhcNNDkxMjMxMTIxOTMxWjBoMQswCQYDVQQGEwJDTjEUMBIGA1UEChML 127e41f4b71Sopenharmony_ci T3Blbkhhcm1vbnkxGTAXBgNVBAsTEE9wZW5IYXJtb255IFRlYW0xKDAmBgNVBAMT 128e41f4b71Sopenharmony_ci H09wZW5IYXJtb255IEFwcGxpY2F0aW9uIFJlbGVhc2UwWTATBgcqhkjOPQIBBggq 129e41f4b71Sopenharmony_ci hkjOPQMBBwNCAATbYOCQQpW5fdkYHN45v0X3AHax12jPBdEDosFRIZ1eXmxOYzSG 130e41f4b71Sopenharmony_ci JwMfsHhUU90E8lI0TXYZnNmgM1sovubeQqATo1IwUDAfBgNVHSMEGDAWgBTbhrci 131e41f4b71Sopenharmony_ci FtULoUu33SV7ufEFfaItRzAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFPtxruhl 132e41f4b71Sopenharmony_ci cRBQsJdwcZqLu9oNUVgaMAwGCCqGSM49BAMDBQADaAAwZQIxAJta0PQ2p4DIu/ps 133e41f4b71Sopenharmony_ci LMdLCDgQ5UH1l0B4PGhBlMgdi2zf8nk9spazEQI/0XNwpft8QAIwHSuA2WelVi/o 134e41f4b71Sopenharmony_ci zAlF08DnbJrOOtOnQq5wHOPlDYB4OtUzOYJk9scotrEnJxJzGsh/ 135e41f4b71Sopenharmony_ci -----END CERTIFICATE----- 136e41f4b71Sopenharmony_ci ``` 137e41f4b71Sopenharmony_ci 138e41f4b71Sopenharmony_ci3. Use keytool to run the following command to obtain the certificate fingerprint. 139e41f4b71Sopenharmony_ci 140e41f4b71Sopenharmony_ci > **NOTE**<br>You can obtain the keytool from the **\tools\openjdk\bin** directory after DevEco Studio is installed. 141e41f4b71Sopenharmony_ci 142e41f4b71Sopenharmony_ci ```shell 143e41f4b71Sopenharmony_ci keytool -printcert -file profile.cer 144e41f4b71Sopenharmony_ci 145e41f4b71Sopenharmony_ci # Example 146e41f4b71Sopenharmony_ci # result: 147e41f4b71Sopenharmony_ci # Issued To: CN=OpenHarmony Application Release, OU=OpenHarmony Team, O=OpenHarmony, C=CN 148e41f4b71Sopenharmony_ci # Issued By: CN=OpenHarmony Application CA, OU=OpenHarmony Team, O=OpenHarmony, C=CN 149e41f4b71Sopenharmony_ci # SN: 68e0bfcc 150e41f4b71Sopenharmony_ci # Valid From: Tue Feb 02 20:19:31 CST 2021, Valid To: Fri Dec 31 20:19:31 CST 2049 151e41f4b71Sopenharmony_ci # Fingerprints: 152e41f4b71Sopenharmony_ci # SHA1 fingerprint: E3:E8:7C:65:B8:1D:02:52:24:6A:06:A4:3C:4A:02:39:19:92:D1:F5 153e41f4b71Sopenharmony_ci # SHA256: 8E:93:86:3F:C3:2E:E2:38:06:0B:F6:9A:9B:37:E2:60:8F:FF:B2:1F:93:C8:62:DD:51:1C:BA:C9:F3:00:24:B5 154e41f4b71Sopenharmony_ci # // The certificate fingerprint with the colons (:) removed is 8E93863FC32EE238060BF69A9B37E2608FFFB21F93C862DD511CBAC9F30024B5. 155e41f4b71Sopenharmony_ci # ... 156e41f4b71Sopenharmony_ci ``` 157e41f4b71Sopenharmony_ci 158e41f4b71Sopenharmony_ci4. Remove the colons (:) from the SHA256 certificate fingerprint and fill the fingerprint in the **app_signature** field in the **install_list_capability.json** file. 159e41f4b71Sopenharmony_ci 160e41f4b71Sopenharmony_ci ```json 161e41f4b71Sopenharmony_ci { 162e41f4b71Sopenharmony_ci "install_list": [ 163e41f4b71Sopenharmony_ci { 164e41f4b71Sopenharmony_ci ... 165e41f4b71Sopenharmony_ci "app_signature": ["8E93863FC32EE238060BF69A9B37E2608FFFB21F93C862DD511CBAC9F30024B5"], 166e41f4b71Sopenharmony_ci ... 167e41f4b71Sopenharmony_ci } 168e41f4b71Sopenharmony_ci ] 169e41f4b71Sopenharmony_ci } 170e41f4b71Sopenharmony_ci ``` 171e41f4b71Sopenharmony_ci 172e41f4b71Sopenharmony_ci#### Configuration in install_list.json 173e41f4b71Sopenharmony_ci 174e41f4b71Sopenharmony_ci```json 175e41f4b71Sopenharmony_ci{ 176e41f4b71Sopenharmony_ci "install_list" : [ 177e41f4b71Sopenharmony_ci { 178e41f4b71Sopenharmony_ci "app_dir" : "/system/app/com.ohos.launcher", 179e41f4b71Sopenharmony_ci "removable": true // The application can be uninstalled. 180e41f4b71Sopenharmony_ci } 181e41f4b71Sopenharmony_ci ] 182e41f4b71Sopenharmony_ci} 183e41f4b71Sopenharmony_ci``` 184