1# Application Access Control
2
3## Introduction
4
5The application access control subsystem implements permission control and isolated access control in the system.
6
7Open capabilities of the application access control subsystem include the sandbox management (**Sandbox_manager**) module.
8
9## Architecture
10
11**Figure 1** Application access control architecture
12
13![](figures/app_accesscontrol.png)
14
15APIs: APIs exposed externally by the application access control subsystem. Some APIs are available only to system applications.
16
17**Sandbox_manager** module: implements persistent management on rules for file sharing between sandboxes. Specifically, it provides system applications with the APIs for enabling temporary rules, adding, deleting, and querying persistence rules, and enabling/disabling persistence rules.
18
19## Directory Structure
20```
21/base/accesscontrol
22├── sandbox_manager              # Sandbox management module
23```
24
25## Constraints
26The **sandbox_manager** module is still under development and cannot provide the function for enabling rules. This module depends on the mandatory access control (MAC) mechanism of the system kernel. Therefore, it can be developed only when the MAC mechanism is available.
27
28## Usage
29
30**Sandbox Management**
31
32Each OpenHarmony application runs in an independent sandbox, which isolates application data from each other. The **sandbox_manager** module provides:
33- APIs for adding, deleting, and querying persistence rules (available now).
34- APIs for enabling and disabling persistent rules for system applications (to be available).
35
36The **sandbox_manager** module provides only inner APIs for system applications. If you need to set persistence rules, use the APIs provided by [file\_app\_file\_service](https://gitee.com/openharmony/filemanagement_app_file_service/blob/master/README.md). If you want to share files by starting an application, perform related settings via [ability\_ability\_runtime](https://gitee.com/openharmony/ability_ability_runtime/blob/master/README.md).
37
38## Repositories Involved
39
40Application access control subsystem
41
42[accesscontrol_sandbox_manager](https://gitee.com/openharmony/accesscontrol_sandbox_manager)
43
44<!--no_check-->
45