1e41f4b71Sopenharmony_ci# Development on App Permission Management 2e41f4b71Sopenharmony_ci 3e41f4b71Sopenharmony_ci 4e41f4b71Sopenharmony_ci## Working Principles 5e41f4b71Sopenharmony_ci 6e41f4b71Sopenharmony_ciOpenHarmony allows users to install third-party applications and controls calls made by third-party applications to sensitive permissions. When developing an application, you need to declare the sensitive permissions required by the application in the application configuration file. The permissions can be static or dynamic. Static permissions are registered during application installation, and dynamic permissions must be authorized by users. Authorization modes include system settings, manual authorization, and others. In addition, application signatures are used to ensure that the application installation packages have been confirmed by device vendors. 7e41f4b71Sopenharmony_ci 8e41f4b71Sopenharmony_ci **Table 1** OpenHarmony permission list 9e41f4b71Sopenharmony_ci 10e41f4b71Sopenharmony_ci | **Permission**| **Authorization Mode**| **Description**| 11e41f4b71Sopenharmony_ci | -------- | -------- | -------- | 12e41f4b71Sopenharmony_ci | ohos.permission.LISTEN_BUNDLE_CHANGE | system_grant (static permission)| Allows an application to listen for application changes.| 13e41f4b71Sopenharmony_ci | ohos.permission.GET_BUNDLE_INFO | system_grant (static permission)| Allows an application to obtain information about other applications.| 14e41f4b71Sopenharmony_ci | ohos.permission.INSTALL_BUNDLE | system_grant (static permission)| Allows an application to install other applications.| 15e41f4b71Sopenharmony_ci | ohos.permission.CAMERA | user_grant (dynamic permission)| Allows an application to use the camera to take photos and record videos at any time.| 16e41f4b71Sopenharmony_ci | ohos.permission.MODIFY_AUDIO_SETTINGS | system_grant (static permission)| Allows an application to modify global audio settings, such as the volume and speaker.| 17e41f4b71Sopenharmony_ci | ohos.permission.READ_MEDIA | user_grant (dynamic permission)| Allows an application to read users' favorite videos.| 18e41f4b71Sopenharmony_ci | ohos.permission.MICROPHONE | user_grant (dynamic permission)| Allows an application to use the microphone for audio recording at any time.| 19e41f4b71Sopenharmony_ci | ohos.permission.WRITE_MEDIA | user_grant (dynamic permission)| Allows an application to write users' favorite music.| 20e41f4b71Sopenharmony_ci | ohos.permission.DISTRIBUTED_DATASYNC | user_grant (dynamic permission)| Allows an application to manage distributed data transmission.| 21e41f4b71Sopenharmony_ci | ohos.permission.DISTRIBUTED_VIRTUALDEVICE | user_grant (dynamic permission)| Allows an application to use distributed virtualization features.| 22e41f4b71Sopenharmony_ci 23e41f4b71Sopenharmony_ci>  **NOTE**<br> 24e41f4b71Sopenharmony_ci> 25e41f4b71Sopenharmony_ci> 1. Static permission is a permission granted by the system during application installation. The sensitivity level of this type of permission is **system_grant**. Dynamic permission is a permission granted by users during application running. The sensitivity level of this type of permission is **user_grant**. 26e41f4b71Sopenharmony_ci> 27e41f4b71Sopenharmony_ci> 2. The application configuration file varies depending on the application model. It is **config.json** for the application based on the FA model and **module.json5** for the application based on the stage mode. For details about the application models, see [Interpretation of the Application Model](../../application-dev/application-models/application-model-description.md). 28e41f4b71Sopenharmony_ci 29e41f4b71Sopenharmony_ci## When to Use 30e41f4b71Sopenharmony_ci 31e41f4b71Sopenharmony_ciApp permissions are required for software to access system resources and use system capabilities. When the functions and data related to user privacy are used, for example, when personal devices, such as cameras and microphones, are used or media files are read or written, OpenHarmony uses the application permission management component to protect the data and capabilities. 32e41f4b71Sopenharmony_ci 33e41f4b71Sopenharmony_ciWhen developing a system application that requires a sensitive permission, you can call the corresponding API of the application permission management component to check whether the required permission is granted. If the permission is not granted, the application cannot use it. 34e41f4b71Sopenharmony_ci 35e41f4b71Sopenharmony_ci 36e41f4b71Sopenharmony_ci## Available APIs 37e41f4b71Sopenharmony_ci 38e41f4b71Sopenharmony_ciThe table below lists the APIs available for application permission management. These APIs can be called only by system applications and services. 39e41f4b71Sopenharmony_ci 40e41f4b71Sopenharmony_ci **Table 2** App permission management APIs 41e41f4b71Sopenharmony_ci 42e41f4b71Sopenharmony_ci| API| Description| 43e41f4b71Sopenharmony_ci| -------- | -------- | 44e41f4b71Sopenharmony_ci| int CheckPermission(int uid, const char \*permissionName) | Checks whether the application with the specified UID has the permission to access system service APIs.| 45e41f4b71Sopenharmony_ci| int CheckSelfPermission(const char \*permissionName) | Checks whether the caller has the permission to access system service APIs.| 46e41f4b71Sopenharmony_ci| int QueryPermission(const char \*identifier, PermissionSaved \*\*permissions, int \*permNum) | Queries all permissions requested by the application and checks whether the requested permissions have been granted.| 47e41f4b71Sopenharmony_ci| int GrantPermission(const char \*identifier, const char \*permName) | Grants a permission to the app.| 48e41f4b71Sopenharmony_ci| int RevokePermission(const char \*identifier, const char \*permName) | Revokes a permission from the app.| 49e41f4b71Sopenharmony_ci| int GrantRuntimePermission(int uid, const char \*permissionName) | Grants a runtime permission to the app.| 50e41f4b71Sopenharmony_ci| int RevokeRuntimePermission(int uid, const char \*permissionName) | Revokes a runtime permission from the app.| 51e41f4b71Sopenharmony_ci 52e41f4b71Sopenharmony_ci 53e41f4b71Sopenharmony_ci## How to Develop 54e41f4b71Sopenharmony_ci 55e41f4b71Sopenharmony_ciThe following uses the BMS as an example to describe the application permission development. Before you start, declare the required sensitive permissions in the **config.json** file. During application installation, the BMS calls APIs of the application permission management component to check whether the required permissions are available. If yes, the installation proceeds; otherwise, the installation fails. 56e41f4b71Sopenharmony_ci 57e41f4b71Sopenharmony_ci1. Declare the required permission (**ohos.permission.INSTALL_BUNDLE**) in the **config.json** file. 58e41f4b71Sopenharmony_ci If the FA model is used, declare the permission in the **config.json** file. The following is an example: 59e41f4b71Sopenharmony_ci ```json 60e41f4b71Sopenharmony_ci { 61e41f4b71Sopenharmony_ci "module": { 62e41f4b71Sopenharmony_ci "package": "ohos.demo.kitframework", 63e41f4b71Sopenharmony_ci "deviceType": [ 64e41f4b71Sopenharmony_ci "phone", "tv","tablet", "car","smartWatch","sportsWatch","smartCamera", "smartVision" 65e41f4b71Sopenharmony_ci ], 66e41f4b71Sopenharmony_ci "reqPermissions": [{ 67e41f4b71Sopenharmony_ci "name": "ohos.permission.INSTALL_BUNDLE", 68e41f4b71Sopenharmony_ci "reason": "install bundle", 69e41f4b71Sopenharmony_ci "usedScene": { 70e41f4b71Sopenharmony_ci "ability": [ 71e41f4b71Sopenharmony_ci "KitFramework" 72e41f4b71Sopenharmony_ci ], 73e41f4b71Sopenharmony_ci "when": "always" 74e41f4b71Sopenharmony_ci } 75e41f4b71Sopenharmony_ci }, 76e41f4b71Sopenharmony_ci { 77e41f4b71Sopenharmony_ci "name": "ohos.permission.LISTEN_BUNDLE_CHANGE", 78e41f4b71Sopenharmony_ci "reason": "install bundle", 79e41f4b71Sopenharmony_ci "usedScene": { 80e41f4b71Sopenharmony_ci "ability": [ 81e41f4b71Sopenharmony_ci "KitFramework" 82e41f4b71Sopenharmony_ci ], 83e41f4b71Sopenharmony_ci "when": "always" 84e41f4b71Sopenharmony_ci } 85e41f4b71Sopenharmony_ci }, 86e41f4b71Sopenharmony_ci { 87e41f4b71Sopenharmony_ci "name": "ohos.permission.GET_BUNDLE_INFO", 88e41f4b71Sopenharmony_ci "reason": "install bundle", 89e41f4b71Sopenharmony_ci "usedScene": { 90e41f4b71Sopenharmony_ci "ability": [ 91e41f4b71Sopenharmony_ci "KitFramework" 92e41f4b71Sopenharmony_ci ], 93e41f4b71Sopenharmony_ci "when": "always" 94e41f4b71Sopenharmony_ci } 95e41f4b71Sopenharmony_ci } 96e41f4b71Sopenharmony_ci ] 97e41f4b71Sopenharmony_ci } 98e41f4b71Sopenharmony_ci } 99e41f4b71Sopenharmony_ci ``` 100e41f4b71Sopenharmony_ci If the stage model is used, declare the permission in **module.json5**. The following is an example: 101e41f4b71Sopenharmony_ci ```json 102e41f4b71Sopenharmony_ci { 103e41f4b71Sopenharmony_ci "module": { 104e41f4b71Sopenharmony_ci "requestPermissions": [{ 105e41f4b71Sopenharmony_ci "name": "ohos.permission.INSTALL_BUNDLE", 106e41f4b71Sopenharmony_ci "reason": "install bundle", 107e41f4b71Sopenharmony_ci "usedScene": { 108e41f4b71Sopenharmony_ci "ability": [ 109e41f4b71Sopenharmony_ci "KitFramework" 110e41f4b71Sopenharmony_ci ], 111e41f4b71Sopenharmony_ci "when": "always" 112e41f4b71Sopenharmony_ci } 113e41f4b71Sopenharmony_ci }, 114e41f4b71Sopenharmony_ci { 115e41f4b71Sopenharmony_ci "name": "ohos.permission.LISTEN_BUNDLE_CHANGE", 116e41f4b71Sopenharmony_ci "reason": "install bundle", 117e41f4b71Sopenharmony_ci "usedScene": { 118e41f4b71Sopenharmony_ci "ability": [ 119e41f4b71Sopenharmony_ci "KitFramework" 120e41f4b71Sopenharmony_ci ], 121e41f4b71Sopenharmony_ci "when": "always" 122e41f4b71Sopenharmony_ci } 123e41f4b71Sopenharmony_ci }, 124e41f4b71Sopenharmony_ci { 125e41f4b71Sopenharmony_ci "name": "ohos.permission.GET_BUNDLE_INFO", 126e41f4b71Sopenharmony_ci "reason": "install bundle", 127e41f4b71Sopenharmony_ci "usedScene": { 128e41f4b71Sopenharmony_ci "ability": [ 129e41f4b71Sopenharmony_ci "KitFramework" 130e41f4b71Sopenharmony_ci ], 131e41f4b71Sopenharmony_ci "when": "always" 132e41f4b71Sopenharmony_ci } 133e41f4b71Sopenharmony_ci }] 134e41f4b71Sopenharmony_ci } 135e41f4b71Sopenharmony_ci } 136e41f4b71Sopenharmony_ci ``` 137e41f4b71Sopenharmony_ci 138e41f4b71Sopenharmony_ci2. When an application is to be installed, the BMS checks whether it has the permission to install the app. For example, the BMS calls **CheckPermission** with **ohos.permission.INSTALL_BUNDLE** as an input parameter. If it has the permission, the installation proceeds; otherwise, the installation fails. 139e41f4b71Sopenharmony_ci 140e41f4b71Sopenharmony_ci ```c++ 141e41f4b71Sopenharmony_ci constexpr static char PERMISSION_INSTALL_BUNDLE[] = "ohos.permission.INSTALL_BUNDLE"; 142e41f4b71Sopenharmony_ci 143e41f4b71Sopenharmony_ci bool Install(const char *hapPath, const InstallParam *installParam, InstallerCallback installerCallback) 144e41f4b71Sopenharmony_ci { 145e41f4b71Sopenharmony_ci if ((hapPath == nullptr) || (installerCallback == nullptr) || (installParam == nullptr)) { 146e41f4b71Sopenharmony_ci HILOG_ERROR(HILOG_MODULE_APP, "BundleManager install failed due to nullptr parameters"); 147e41f4b71Sopenharmony_ci return false; 148e41f4b71Sopenharmony_ci } 149e41f4b71Sopenharmony_ci // Check whether the ohos.permission.INSTALL_BUNDLE permission has been granted. 150e41f4b71Sopenharmony_ci if (CheckPermission(0, static_cast<const char *>(PERMISSION_INSTALL_BUNDLE)) != GRANTED) { 151e41f4b71Sopenharmony_ci HILOG_ERROR(HILOG_MODULE_APP, "BundleManager install failed due to permission denied"); 152e41f4b71Sopenharmony_ci return false; // App installation fails. 153e41f4b71Sopenharmony_ci } 154e41f4b71Sopenharmony_ci // Installation process. 155e41f4b71Sopenharmony_ci ... 156e41f4b71Sopenharmony_ci } 157e41f4b71Sopenharmony_ci ``` 158
