diff --git a/interfaces/inner_api/file_access/src/file_access_ext_stub.cpp b/interfaces/inner_api/file_access/src/file_access_ext_stub.cpp
index 38f8f8cf1203c67894056f7074eaaa50d6acfb03..a78dac8e378b55b21643198091e72c4758984f09 100644
--- a/interfaces/inner_api/file_access/src/file_access_ext_stub.cpp
+++ b/interfaces/inner_api/file_access/src/file_access_ext_stub.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022 Huawei Device Co., Ltd.
+ * Copyright (c) 2022-2024 Huawei Device Co., Ltd.
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
@@ -78,15 +78,15 @@ int FileAccessExtStub::OnRemoteRequest(uint32_t code, MessageParcel& data, Messa
         return ERR_INVALID_STATE;
     }
 
-    const auto &itFunc = stubFuncMap_.find(code);
-    if (itFunc != stubFuncMap_.end()) {
-        return (this->*(itFunc->second))(data, reply);
-    }
-
     if (!CheckCallingPermission(FILE_ACCESS_PERMISSION)) {
         HILOG_ERROR("permission error");
         return E_PERMISSION;
     }
+
+    const auto &itFunc = stubFuncMap_.find(code);
+    if (itFunc != stubFuncMap_.end()) {
+        return (this->*(itFunc->second))(data, reply);
+    }
     return IPCObjectStub::OnRemoteRequest(code, data, reply, option);
 }
 
diff --git a/services/file_access_service.cfg b/services/file_access_service.cfg
index f74283026eb3835ab10a20e66482b41707653c17..641f1be4d761ff59650f17d7b42125cfc8a81879 100644
--- a/services/file_access_service.cfg
+++ b/services/file_access_service.cfg
@@ -4,7 +4,10 @@
             "path" : ["/system/bin/sa_main", "/system/profile/file_access_service.json"],
             "uid" : "file_manager",
             "ondemand" : true,
-            "secon" : "u:r:file_access_service:s0"
+            "secon" : "u:r:file_access_service:s0",
+            "permission" : [
+                "ohos.permission.FILE_ACCESS_MANAGER"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/services/native/file_access_service/src/file_access_service_stub.cpp b/services/native/file_access_service/src/file_access_service_stub.cpp
index 31f3d2b4972d033c9ccdede8035a354bf44e7a0b..1ffe1759b2ba9eae29e18defa3d15573f6ab9e4a 100644
--- a/services/native/file_access_service/src/file_access_service_stub.cpp
+++ b/services/native/file_access_service/src/file_access_service_stub.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2023 Huawei Device Co., Ltd.
+ * Copyright (c) 2023-2024 Huawei Device Co., Ltd.
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
@@ -61,15 +61,15 @@ int32_t FileAccessServiceStub::OnRemoteRequest(uint32_t code, MessageParcel &dat
         return ERR_INVALID_STATE;
     }
 
-    const auto &itFunc = stubFuncMap_.find(code);
-    if (itFunc != stubFuncMap_.end()) {
-        return (this->*(itFunc->second))(data, reply);
-    }
-
     if (!CheckCallingPermission(FILE_ACCESS_PERMISSION)) {
         HILOG_ERROR("permission error");
         return E_PERMISSION;
     }
+
+    const auto &itFunc = stubFuncMap_.find(code);
+    if (itFunc != stubFuncMap_.end()) {
+        return (this->*(itFunc->second))(data, reply);
+    }
     return IPCObjectStub::OnRemoteRequest(code, data, reply, option);
 }
 
diff --git a/test/unittest/external_notify_test.cpp b/test/unittest/external_notify_test.cpp
index dbe74f90fab6b388fb1704a8a1281717746c82cf..b88eb3f7cf53cad4604fbbffd1cddea1d35d00b6 100644
--- a/test/unittest/external_notify_test.cpp
+++ b/test/unittest/external_notify_test.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2023 Huawei Device Co., Ltd.
+ * Copyright (c) 2023-2024 Huawei Device Co., Ltd.
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
@@ -49,6 +49,7 @@ vector<string> g_notifyUris;
 const int SLEEP_TIME = 600 * 1000;
 const int UID_TRANSFORM_TMP = 20000000;
 const int UID_DEFAULT = 0;
+const uint64_t SYSTEM_APP_MASK =  (static_cast<uint64_t>(1) << 32); // 1: Base number, 32: Left shifted bit numbers
 shared_ptr<OHOS::AbilityRuntime::Context> g_context = nullptr;
 
 void SetNativeToken()
@@ -76,6 +77,25 @@ void SetNativeToken()
     delete[] perms;
 }
 
+void SetNativeToken(const char* processName, const char*perms[], int32_t permsNum)
+{
+    uint64_t tokenId;
+    NativeTokenInfoParams infoInstance = {
+        .dcapsNum = 0,
+        .permsNum = permsNum,
+        .aclsNum = 0,
+        .dcaps = nullptr,
+        .perms = perms,
+        .acls = nullptr,
+        .aplStr = "system_core",
+    };
+    tokenId = GetAccessTokenId(&infoInstance);
+    const uint64_t systemAppMask = SYSTEM_APP_MASK;
+    tokenId |= systemAppMask;
+    SetSelfTokenID(tokenId);
+    OHOS::Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo();
+}
+
 class FileExtensionNotifyTest : public testing::Test {
 public:
     static void SetUpTestCase(void)
@@ -1169,4 +1189,51 @@ HWTEST_F(FileExtensionNotifyTest, external_file_access_notify_0019, testing::ext
     }
     GTEST_LOG_(INFO) << "FileExtensionNotifyTest-end external_file_access_notify_0019";
 }
+
+HWTEST_F(FileExtensionNotifyTest, external_file_access_notify_0020, testing::ext::TestSize.Level1)
+{
+    GTEST_LOG_(INFO) << "FileExtensionNotifyTest-begin external_file_access_notify_0020";
+    try {
+        g_notifyEvent = -1;
+        vector<RootInfo> info;
+        const char* perms[] = {
+            "ohos.permission.GET_BUNDLE_INFO_PRIVILEGED"
+        };
+        SetNativeToken("SetUpTestCase", perms, sizeof(perms) / sizeof(perms[0]));
+        int result = g_fah->GetRoots(info);
+        EXPECT_EQ(result, OHOS::FileAccessFwk::E_PERMISSION);
+        SetNativeToken();
+        result = g_fah->GetRoots(info);
+        EXPECT_EQ(result, OHOS::FileAccessFwk::ERR_OK);
+
+        bool notifyForDescendants = true;
+        sptr<IFileAccessObserver> myObserver1 = new (std::nothrow) MyObserver();
+        Uri parentUri(info[1].uri);
+        Uri newFileDir1("");
+        SetNativeToken("SetUpTestCase", perms, sizeof(perms) / sizeof(perms[0]));
+        result = g_fah->Mkdir(parentUri, "uri_dir", newFileDir1);
+        EXPECT_EQ(result, OHOS::FileAccessFwk::E_PERMISSION);
+        SetNativeToken();
+        result = g_fah->Mkdir(parentUri, "uri_dir", newFileDir1);
+        EXPECT_EQ(result, OHOS::FileAccessFwk::ERR_OK);
+
+        SetNativeToken("SetUpTestCase", perms, sizeof(perms) / sizeof(perms[0]));
+        result = g_fah->RegisterNotify(newFileDir1, notifyForDescendants, myObserver1);
+        EXPECT_EQ(result, OHOS::FileAccessFwk::E_PERMISSION);
+
+        result = g_fah->UnregisterNotify(newFileDir1, myObserver1);
+        EXPECT_EQ(result, OHOS::FileAccessFwk::E_PERMISSION);
+
+        result = g_fah->Delete(newFileDir1);
+        EXPECT_EQ(result, OHOS::FileAccessFwk::E_PERMISSION);
+
+        SetNativeToken();
+        result = g_fah->Delete(newFileDir1);
+        EXPECT_EQ(result, OHOS::FileAccessFwk::ERR_OK);
+
+    } catch (...) {
+        GTEST_LOG_(ERROR) << "external_file_access_notify_0020 occurs an exception.";
+    }
+    GTEST_LOG_(INFO) << "FileExtensionNotifyTest-end external_file_access_notify_0020";
+}
 } // namespace