Abstract: This application provides an access control method and a related apparatus and system. In the method, a same callee may enable a plurality of instances, and serve different callers by using different instances. Due to an attribute of natural isolation between instances, the different instances cannot access memory data of each other. In this way, a system-level memory data security mechanism can be provided, problems of abuse and leakage of memory data of each caller are avoided, and data security is ensured.

Abstract: A method includes: an electronic device sends a sign-in request to enable a management party device to learn that the electronic device has entered a specific environment. The management party device selects one access policy from one or more stored access policies based on one or more of the following: restriction levels for the specific environment, restriction categories for functions of electronic devices in the specific environment, a device type or a login user of an electronic device, a time point at which the management party device receives the sign-in request, or an area in which the electronic device is located in the specific environment, and sends the access policy to the electronic device, to restrict a function of the electronic device.

Abstract: This application discloses an access control method, an electronic device, and a system, so as to run different instances when a callee provides services for different callers, and keep isolation between memory data of the different instances. This resolves a problem that memory data of each caller is abused, misused, or leaked, and ensures data security.

Abstract: This disclosure provides a flexible authorization access control method, a related apparatus, and a system. In the method, if an electronic device that receives an access request does not meet an authorization condition, is currently not suitable for authorization, or cannot currently obtain authorization from a user in time, the electronic device may select one electronic device in a distributed system as an authorization device. After obtaining a permission that is granted by the user and that is required for the access request, the authorization device notifies the electronic device, and then the electronic device may respond to the access request. In this disclosure, the electronic device can quickly and conveniently obtain the permission required for the access request and respond to the access request in a case in which the user is not disturbed, to ensure data security in the electronic device and meet a requirement of the user.

Abstract: An atomic ability invoking method includes a terminal device obtaining an invoking request of an app for an atomic ability (A/A). When the AA is deployed in the terminal device, the terminal device starts the AA and grants, to the AA, a resource access permission required by the AA, so that the AA responds to the invoking request based on the resource access permission required by the AA. According to this method, in a process in which the app invokes the AA, the AA has only the resource access permission required by the AA, to prevent the AA from accessing a corresponding system resource based on a resource access permission that the AA should not have.

Abstract: A permission reuse method includes receiving, by a second device, control information from a first device, wherein the control information comprises a first device identifier of the first device, user equipment of a plurality of applications, and permission information of the plurality of applications, and wherein permission information of an application is used to indicate an object in the first device that the application has permission to access, and the object in the first device comprises a software or hardware resource in the first device; creating, by the second device, a virtual identity of the first device based on the control information, wherein the virtual identity comprises the first device identifier and the user identifiers; and storing, by the second device, the virtual identity, the permission information of the plurality of applications, and a correspondence between the virtual identity and the permission information of the plurality of applications.