Below is the HarmonyOS Next permission management deep dive guide rewritten and optimized into English, with code blocks properly wrapped:
HarmonyOS Next Permission Management Deep Dive Guide: From Basic Standards to Enterprise Practices
I. Major Updates to the Permission System
1. Permission Grading 3.0 Mechanism
// Permission Sensitivity Grading (New AI-related Categories Added)
enum PermissionLevel {
NORMAL = "Basic Permissions", // E.g., network status access
LIMITED = "Restricted Permissions", // E.g., calendar read/write
SIGNATURE = "System-level Permissions", // E.g., modifying system settings
AI_SENSITIVE = "AI-sensitive Permissions" // E.g., biometric identification
}
2. Distributed Permission Management
// Cross-device Permission Declaration Example
const DISTRIBUTED_PERMISSIONS = [
"ohos.permission.DISTRIBUTED_DATASYNC",
"ohos.permission.CROSS_DEVICE_CAMERA"
];
II. Six Core Permissions in Practice
1. Location Permission Group
// Precise Location Request (Requires Dual Authorization)
import accessToken from '@ohos.abilityAccessToken';
async function requestLocation() {
const permissions: string[] = [
"ohos.permission.LOCATION",
"ohos.permission.APPROXIMATELY_LOCATION"
];
const result = await accessToken.requestPermissions(permissions);
if (result.authResults === 0) {
// Obtain precise location
} else if (result.authResults === 1) {
// Fallback to approximate location
}
}
2. Biometric Authentication
// Facial Recognition Permission Validation Process
import userIAM_auth from '@ohos.userIAM.auth';
async function checkFaceAuth() {
try {
const auth = new userIAM_auth.Auth();
const result = await auth.checkPermission("ohos.permission.FACE_AUTH");
if (result === userIAM_auth.AuthResult.SUCCESS) {
// Perform biometric authentication
}
} catch (err) {
console.error(`Biometric authentication error: ${err.code}`);
}
}
3. AI Model Invocation Permissions
// Large Model Access Permission Declaration (New in 2025)
const AIModelPermissions = [
"ohos.permission.ACCESS_LLM",
"ohos.permission.SAVE_AI_RESULT"
];
III. Enterprise-Level Best Practices
1. Four Principles for Permission Requests
- Minimization Principle
Only request permissions essential for the current scenario; avoid pre-requesting unused permissions.
//Incorrect Example: Requesting all possible permissions at once
const permissions = [
"ohos.permission.CAMERA",
"ohos.permission.READ_CALENDAR",
"ohos.permission.MICROPHONE"
];
//Correct Approach: Request permissions on-demand based on scenarios
- Transparency Principle
Customize permission request dialogs (must comply with Huawei UI standards).
function showCustomDialog() {
AlertDialog.show({
title: "Album Access Required",
message: "For uploading user avatars; we will not access other photos",
confirmText: "Grant Now",
cancelText: "Not Now"
});
}
2. Sensitive Permission Monitoring Strategy
// Real-time Monitoring of Permission Status
accessToken.on('permissionChange', (info) => {
if (info.permission === "ohos.permission.CAMERA") {
if (info.status === 'REVOKED') {
// Disable camera-related features
}
}
});
3. Permission Usage Self-Inspection Checklist
| Inspection Item | Detection Tool | Standard Requirements |
|---|---|---|
| Consistency of Permission Declarations | HAP Scanner | 100% match with actual usage |
| Frequency of Sensitive Permission Calls | DevEco Profiler | ≤3 times per minute |
| Privacy Policy Coverage | AGC Compliance Detection | Full explanation of all permissions |
IV. Solutions to Common Issues
- Q1: How to Guide Users After Permanent Permission Denial?
// Navigate to System Settings Page (New API in 2025)
import settings from '@ohos.settings';
function openAppSettings() {
settings.openAppSetting({
bundleName: "com.example.app",
success: () => console.log("Successfully navigated")
});
}
- Q2: How to Check Permission Group Status?
// Obtain Permission Group Status
async function checkGroupStatus() {
const groupStatus = await accessToken.getPermissionGroupStatus(
"ohos.permission-group.LOCATION"
);
return groupStatus === accessToken.PermissionGrantState.GRANTED;
}
- Q3: Notes on Permission Adaptation for Overseas Versions
GDPR Requirements: Default checkboxes for "Always Allow" are prohibited. California Bill Requirements: Provide an option to "Reject and Continue Using." Middle East Requirements: Cameras and microphones must be requested separately.
The following is an explanation of the content:
I. Major Updates to the Permission System
1. Permission Grading 3.0 Mechanism
HarmonyOS Next introduces a more refined permission grading 3.0 mechanism, adding AI-sensitive permissions to better address the needs of AI-related features. Permissions are categorized into four levels: basic permissions (e.g., network status access), restricted permissions (e.g., calendar read/write), system-level permissions (e.g., modifying system settings), and AI-sensitive permissions (e.g., biometric identification). This allows developers to select the appropriate permission level based on their application's needs while enabling the system to enforce more precise permission management and security controls.
2. Distributed Permission Management
In the distributed scenario of HarmonyOS, distributed permission management is critical. Developers need to declare cross-device permissions explicitly, such as ohos.permission.DISTRIBUTED_DATASYNC for distributed data synchronization and ohos.permission.CROSS_DEVICE_CAMERA for cross-device camera access. By declaring these permissions, applications can securely and reliably access relevant device features and data in distributed environments, ensuring user privacy and data security.
II. Six Core Permissions in Practice
1. Location Permission Group
When requesting location permissions, due to the sensitivity of location information, dual authorization is required. Developers must request both ohos.permission.LOCATION and ohos.permission.APPROXIMATELY_LOCATION permissions. If the first authorization fails, they can provide a fallback option for approximate location. During the request process, it is essential to clearly inform users of the purpose of accessing location information and obtain user consent to ensure compliance with privacy regulations.
2. Biometric Authentication
Biometric authentication offers a convenient and secure method for user identity verification. For facial recognition permission validation, developers can use the userIAM_auth module to check whether the application has ohos.permission.FACE_AUTH permission. If the permission is granted, biometric authentication can be performed. Error handling logic should also be included to address exceptions during the authentication process, such as network issues or device hardware limitations, and provide appropriate feedback to users.
3. AI Model Invocation Permissions
With the growing integration of AI capabilities into applications, permissions for invoking AI models have become increasingly important. In 2025, HarmonyOS introduces new permissions like ohos.permission.ACCESS_LLM and ohos.permission.SAVE_AI_RESULT. Developers must declare these permissions when using AI model-related features to ensure compliant access and usage of AI capabilities. This also helps prevent unauthorized AI model invocations and protects user data privacy.
III. Enterprise-Level Best Practices
1. Four Principles for Permission Requests
- Minimization Principle: Developers should only request permissions essential for the current scenario and avoid pre-requesting unused permissions to minimize potential privacy risks and enhance user trust in the application.
- Transparency Principle: Customized permission request dialogs can help developers clearly explain to users why certain permissions are needed and how the related data will be used. This aligns with Huawei's UI standards to ensure a consistent user experience while meeting privacy requirements.
2. Sensitive Permission Monitoring Strategy
By monitoring permission status in real time, developers can promptly detect changes in permission states, such as when camera permissions are revoked. They can then disable camera-related features to prevent application crashes or functional failures. This ensures the application adapts dynamically to permission changes and maintains stable operation.
3. Permission Usage Self-Inspection Checklist
The permission usage self-inspection checklist provides developers with a clear set of standards and tools to verify whether their application's permission usage meets requirements. For example, using HAP Scanner to check the consistency of permission declarations, DevEco Profiler to monitor the frequency of sensitive permission calls, and AGC compliance detection to ensure privacy policies fully cover all permissions. This helps developers identify and address permission-related issues early, reducing risks during application development and release.
Top comments (0)