1<!--
2  Copyright (C) 2020 The Android Open Source Project
3
4  Licensed under the Apache License, Version 2.0 (the "License");
5  you may not use this file except in compliance with the License.
6  You may obtain a copy of the License at
7
8       http://www.apache.org/licenses/LICENSE-2.0
9
10  Unless required by applicable law or agreed to in writing, software
11  distributed under the License is distributed on an "AS IS" BASIS,
12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  See the License for the specific language governing permissions and
14  limitations under the License
15  -->
16
17# Android Role for system developers
18
19This document targets system developers. App developers should refer to the [RoleManager
20documentation](https://developer.android.com/reference/android/app/role/RoleManager) and AndroidX
21[core-role](https://developer.android.com/reference/androidx/core/role/package-summary) library.
22
23## Definition
24
25A role is a unique name within the system for a purpose, associated with certain requirements and
26privileges if granted. For example, the SMS role requires the app to have certain declarations in
27its manifest that are central to SMS functionality, and grants the app privileges like reading and
28writing user's SMS.
29
30The list of available roles and their behavior can be updated via PermissionController upgrade, out
31of the platform release cycle. Since Android Q, all the default apps (e.g. default SMS app) are
32backed by a corresponding role implementation.
33
34The definition for all the roles can be found in [roles.xml](../../../../../res/xml/roles.xml) and
35associated [`RoleBehavior`](model/RoleBehavior.java) classes.
36
37## Defining a role
38
39A role is defined by a `<role>` tag in `roles.xml`.
40
41The following attributes are available for role:
42
43- `name`: The unique name to identify the role, e.g. `android.app.role.SMS`.
44- `behavior`: Optional name of a [`RoleBehavior`](model/RoleBehavior.java) class to control certain
45role behavior in Java code, e.g. `SmsRoleBehavior`. This can be useful when the XML syntax cannot
46express certain behavior specific to the role.
47- `defaultHolders`: Optional name of a system config resource that designates the default holders of
48the role, e.g. `config_defaultSms`. If the role is not exclusive, multiple package names can be
49specified by separating them with semicolon (`;`).
50- `description`: The string resource for the description of the role, e.g.
51`@string/role_sms_description`, which says "Apps that allow you to use your phone number to send and
52receive short text messages, photos, videos, and more". For default apps, this string will appear in
53the default app detail page as a footer. This attribute is required if the role is `visible`.
54- `exclusive`: Whether the role is exclusive. If a role is exclusive, at most one application is
55allowed to be its holder.
56- `label`: The string resource for the label of the role, e.g. `@string/role_sms_label`, which says
57"Default SMS app". For default apps, this string will appear in the default app detail page as the
58title. This attribute is required if the role is `visible`.
59- `requestDescription`: The string resource for the description in the request role dialog, e.g.
60`@string/role_sms_request_description`, which says "Gets access to contacts, SMS, phone". This
61description should describe to the user the privileges that are going to be granted, and should not
62be too long. This attribute is required if the role is both `visible` and `requestable`.
63- `requestTitle`: The string resource for the title of the request role dialog, e.g.
64`@string/role_sms_request_title`, which says "Set %1$s as your default SMS app?". This attribute is
65required if the role is both `visible` and `requestable`.
66- `requestable`: Whether the role will be requestable by apps. If a role isn't requestable but is
67still visible, apps cannot show the request role dialog to user, but user can still manage the role
68in Settings page. This attribute is optional and defaults to the value of `visible`.
69- `searchKeywords`: Optional string resource for additional search keywords for the role, e.g.
70`@string/role_sms_search_keywords` which says "text message, texting, messages, messaging". The role
71label is always implicitly included in search keywords.
72- `shortLabel`: The string resource for the short label of the role, e.g.
73`@string/role_sms_short_label`, which says "SMS app". For default apps, this string will appear in
74the default app list page as the title for the default app item. This attribute is required if the
75role is `visible`.
76- `showNone`: Whether this role will show a "None" option. This allows user to explicitly select
77none of the apps for a role. This attribute is optional, only applies to `exclusive` roles and
78defaults to `false`.
79- `systemOnly`: Whether this role only allows system apps to hold it. This attribute is optional and
80defaults to `false.
81- `visible`: Whether this role is visible to users. If a role is invisible (a.k.a. hidden) to users,
82users won't be able to find it in Settings, and apps won't be able to request it. The role can still
83be managed by system APIs and shell command.
84
85The following tags can be specified inside a `<role>` tag:
86
87- `<required-components>`: Child tags like `<activity>`, `<service>`, `<provider>` and `<receiver>`
88can be used to specified the app manifest requirements of the role, and an app is only qualified
89when it declares all these components. They follow a similar syntax as in typical
90`AndroidManifest.xml`.
91- `<permissions>`: Child tags like `<permission-set>` and `<permission>` can be used to specify the
92permissions that should be granted to the app when it has the role. Several `<permission-set>` are
93defined at the beginning of `roles.xml`.
94- `<app-op-permissions>`: The child tag `<app-op-permission>` can be used to specify the app op
95permissions whose app op should be granted to the app when it has the role.
96- `<app-ops>`: The child tag `<app-op>` can be used to specify the app ops that should be granted to
97the app when it has the role.
98- `<preferred-activities>`: The child tag `<preferred-activity>` can be used to specify the
99preferred activities that should be configured for the app when it gets the role. The first
100`<activity>` tag inside `<preferred-activity>` will identify the activity component inside the app,
101and the other `<intent-filter>` tags inside `<preferred-activity>` can be used to specify for which
102intent filters the identified activity component should be configured as preferred, i.e. the default
103handler for those intents.
104
105## Requesting a role
106
107Before requesting a role, an app should check whether it already has the role with
108`RoleManager.isRoleHeld()`. If it doesn't have the role, it should then check for the availability
109of the role with `RoleManager.isRoleAvailable()`.
110
111An app can request for a role by launching the intent returned by
112`RoleManager.createRequestRoleIntent()`. If the role is unavailable or the app isn't qualified for
113the role, the request role dialog won't show up and will return `RESULT_CANCELED` immediately. If
114the role is granted to the app, it will return `RESULT_OK`.
115
116The following is an example about how to request the SMS role:
117
118```kotlin
119val roleManager = getSystemService(RoleManager::class.java)
120if (roleManager.isRoleHeld(RoleManager.ROLE_SMS)) {
121    // We already have the role.
122} else if (roleManager.isRoleAvailable(RoleManager.ROLE_SMS)) {
123    startActivityForResult(roleManager.createRequestRoleIntent(RoleManager.ROLE_SMS), REQUEST_CODE)
124    // Check the result later in onActivityResult().
125} else {
126    // Role is unavailable.
127}
128```
129
130## Checking a role
131
132Role is not a replacement for permission, and if one needs to check a certain privilege for an
133action, they should typically check a permission instead, and introduce a new permission if there
134isn't an existing one.
135
136`RoleManager.isRoleHeld()` can be used to check whether an app itself has a role. For checking
137whether an arbitrary app has a certain role, `RoleManager.getRoleHoldersAsUser()` can be used to
138retrieve the list of role holders and check if the app is within the list. This is a system API and
139requires the `MANAGE_ROLE_HOLDERS` permission.
140
141## Managing a role
142
143Generally roles are managed by the role implementation and the user, so it's less likely one should
144manage them manually.
145
146In case the system does need to manage the holders of a role, `RoleManager.addRoleHolderAsUser()`,
147`RoleManager.removeRoleHolderAsUser()` and `RoleManager.clearRoleHoldersAsUser()` may be used. These
148are system APIs and require the `MANAGE_ROLE_HOLDERS` permission. These requests are asynchronous
149and the role might not be modified until the `callback` is notified. The role requirements and
150behavior will still apply even if managed via these APIs, so the request might fail and one need to
151check the result in `callback`. In the event that the role controller hanged or crashed, the
152`callback` will return with failure after a certain timeout.
153
154## Shell command
155
156The current list of roles and their holders can be checked with the following shell command on
157device:
158
159```bash
160dumpsys role
161```
162
163You can also manage the role holders with `cmd role`:
164
165```bash
166cmd role add-role-holder [--user USER_ID] ROLE PACKAGE [FLAGS]
167cmd role remove-role-holder [--user USER_ID] ROLE PACKAGE [FLAGS]
168cmd role clear-role-holders [--user USER_ID] ROLE [FLAGS]
169```
170
171The command outputs nothing and exits with `0` on success. If there was an error, the error will be
172printed and the command will terminate with a non-zero exit code.
173