diff --git a/services/distributedfiledaemon/BUILD.gn b/services/distributedfiledaemon/BUILD.gn
index 7a2313b34a755878fd72e9cc45e1c49bc2de7842..2e3b0dfd1f89a206db790296016bcb30da2da875 100755
--- a/services/distributedfiledaemon/BUILD.gn
+++ b/services/distributedfiledaemon/BUILD.gn
@@ -44,6 +44,7 @@ ohos_shared_library("libdistributedfiledaemon") {
     "//foundation/distributedhardware/devicemanager/interfaces/inner_kits/native_cpp:devicemanagersdk",
   ]
   external_deps = [
+    "access_token:libaccesstoken_sdk",
     "dataclassification:data_transit_mgr",
     "dsoftbus_standard:softbus_client",
     "ipc:ipc_core",
diff --git a/services/distributedfiledaemon/src/ipc/daemon.cpp b/services/distributedfiledaemon/src/ipc/daemon.cpp
index 8f9da6a61a85c810a2a58f1fecae8992bdb2b7c3..05ba0ba6c2bac780a7159f7df25d012a1f6d9cdd 100644
--- a/services/distributedfiledaemon/src/ipc/daemon.cpp
+++ b/services/distributedfiledaemon/src/ipc/daemon.cpp
@@ -15,6 +15,8 @@
 
 #include "ipc/daemon.h"
 
+#include "accesstoken_kit.h"
+#include "ipc_skeleton.h"
 #include "mountpoint/mount_manager.h"
 #include "os_account_manager.h"
 #include "system_ability_definition.h"
@@ -24,9 +26,48 @@ namespace OHOS {
 namespace Storage {
 namespace DistributedFile {
 using namespace std;
+constexpr int UID_ROOT = 0;
 
 REGISTER_SYSTEM_ABILITY_BY_ID(Daemon, FILEMANAGEMENT_DISTRIBUTED_FILE_DAEMON_SA_ID, true);
 
+bool CheckClientPermission(const std::string& permissionStr)
+{
+    int uid = IPCSkeleton::GetCallingUid();
+    LOGI("check uid: %{public}d", uid);
+    if (uid == UID_ROOT) {
+        LOGI("distributedfiledaemon permissionCheck pass!");
+        return true;
+    }
+    Security::AccessToken::AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
+    int res = Security::AccessToken::AccessTokenKit::VerifyAccessToken(tokenCaller, permissionStr);
+    if (res == Security::AccessToken::PermissionState::PERMISSION_GRANTED) {
+        LOGI("Have interact across local accounts extension permission");
+        return true;
+    }
+    LOGI("Have interact across local accounts extension permission failed");
+    return false;
+}
+
+bool RevokeClientPermission(const std::string& permissionStr)
+{
+    int uid = IPCSkeleton::GetCallingUid();
+    LOGI("revoke uid: %{public}d", uid);
+    if (uid == UID_ROOT) {
+        LOGI("distributedfiledaemon permissionRevoke pass!");
+        return true;
+    }
+
+    Security::AccessToken::AccessTokenID tokenCaller = IPCSkeleton::GetCallingTokenID();
+    int flag = Security::AccessToken::AccessTokenKit::GetPermissionFlag(tokenCaller, permissionStr);
+    int res = Security::AccessToken::AccessTokenKit::RevokePermission(tokenCaller, permissionStr, flag);
+    if (res == Security::AccessToken::PermissionState::PERMISSION_GRANTED) {
+        LOGI("Revoke interact across local accounts extension permission");
+        return true;
+    }
+    LOGI("Revoke interact across local accounts extension permission failed");
+    return false;
+}
+
 void Daemon::PublishSA()
 {
     LOGI("Begin to init");
@@ -46,6 +87,11 @@ void Daemon::RegisterOsAccount()
     osAccountSubscribeInfo.SetOsAccountSubscribeType(OHOS::AccountSA::OS_ACCOUNT_SUBSCRIBE_TYPE::ACTIVED);
     osAccountSubscribeInfo.SetName("distributed_file_service");
 
+    std::string permission = "ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION";
+    if (!CheckClientPermission(permission)) {
+        LOGE("distributedfiledaemon checkPermission error");
+        return;
+    }
     subScriber_ = std::make_shared<OsAccountObserver>(osAccountSubscribeInfo);
     int ret = OHOS::AccountSA::OsAccountManager::SubscribeOsAccount(subScriber_);
     if (ret != 0) {
@@ -79,6 +125,11 @@ void Daemon::OnStop()
     LOGI("Begin to stop");
     state_ = ServiceRunningState::STATE_NOT_START;
     registerToService_ = false;
+    std::string permission = "ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS_EXTENSION";
+    if (!RevokeClientPermission(permission)) {
+        LOGE("distributedfiledaemon RevokePermission error");
+        return;
+    }
     int32_t ret = OHOS::AccountSA::OsAccountManager::UnsubscribeOsAccount(subScriber_);
     if (ret != 0) {
         LOGI("UnsubscribeOsAccount failed, ret %{public}d", ret);