diff --git a/interfaces/innerkits/accesstoken/include/access_token.h b/interfaces/innerkits/accesstoken/include/access_token.h
index bd69ff1d347a3e37c5a86430e9d8f934f33cc8cb..d4b050ed75dd721ceedb18ca6e5e484cc41aacfc 100644
--- a/interfaces/innerkits/accesstoken/include/access_token.h
+++ b/interfaces/innerkits/accesstoken/include/access_token.h
@@ -23,6 +23,7 @@ typedef unsigned int AccessTokenID;
 typedef unsigned int AccessTokenAttr;
 static const int DEFAULT_TOKEN_VERSION = 1;
 static const int DEFAULT_PERMISSION_FLAGS = 0;
+static const int FIRSTCALLER_TOKENID_DEFAULT = 0;
 
 enum AccessTokenKitRet {
     RET_FAILED = -1,
diff --git a/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp b/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp
index 336687a947aec2e08b13c13abe41ed5993177d38..2fa8408f3e17d6e8941be1c22db02affd4e76735 100644
--- a/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp
+++ b/interfaces/innerkits/accesstoken/src/accesstoken_kit.cpp
@@ -147,7 +147,14 @@ int AccessTokenKit::VerifyAccessToken(AccessTokenID tokenID, const std::string&
 int AccessTokenKit::VerifyAccessToken(
     AccessTokenID callerTokenID, AccessTokenID firstTokenID, const std::string& permissionName)
 {
-    return PERMISSION_DENIED;
+    int ret = AccessTokenKit::VerifyAccessToken(callerTokenID, permissionName);
+    if (ret != PERMISSION_GRANTED) {
+        return ret;
+    }
+    if (firstTokenID == FIRSTCALLER_TOKENID_DEFAULT) {
+        return ret;
+    }
+    return AccessTokenKit::VerifyAccessToken(firstTokenID, permissionName);
 }
 
 int AccessTokenKit::GetDefPermission(const std::string& permissionName, PermissionDef& permissionDefResult)