Only ask for the permissions that are essential to an app.
本当に必要な権限のみ取得する
Ask for permission in the context in which they are required. For example, if your app wants to show places of interest near a person’s home, asking for user_place_visits just prior to displaying that information would give the person a greater understanding of why the permission is being requested.
Use any available public profile information before asking for a permission. For example, there is an age_range field included in the public profile for anyone who installs your app. This field may be sufficient for your app instead of requesting user_birthday permission.
Separate the request of read and publish permissions. For more details, see below.
Apps should separate the request of read and publish permissions. Plan your app around requesting the bare minimum of read permissions at initial login and then any publish permissions when a person actually needs them, for example when they want to create an Open Graph story from within the app.
Never ask for permissions you think you might need in the future. People will be suspicious and may reject your app.
(現在は使わないが、)近い将来必要になるだろう、という理由で権限を取得しないこと。
Tell people ahead of time why you are requesting a permission. Explaining why you need access to something will increase the chance that they are willing to share it.
ユーザーに対しては、事前に各種パーミッションを取得する理由を説明すべき。
In the rare case your app requires publishing permissions up front (for example, an app that does nothing but publish a person’s mood to Facebook) only request the bare minimum read permissions at initial login. After the person logs in, show the person a screen explaining why your app needs publishing permissions and let the person opt-in to the publishing permission request by clicking a button. This will provide them with more context and improve your conversion.
One instance where you may have to request read and write permissions back-to-back is the first time that you’re associating an email-based account with a person’s Facebook account. This is usually done when someone wants to share a story on their Facebook Timeline.
When your app creates the login dialog, the person will see two dialogs in a row – one to connect their account to your app and another asking for publish permissions.
For this case, make sure that the only read permissions you request are public_profile. This provides the best user experience because the user wants to publish from your app and is often not interested in providing additional read permissions. It will also improve your conversion.
Apps should check for the validity of permissions before attempting to perform an API call where they are required. For example, checking that publish_actions is still granted before attempting to publish an Open Graph story.
First, apps should be able to handle any permissions that were requested but not granted:
アプリは必要とする権限を承認されなくとも、操作できるようにしなければならない。
Once an app has detected that someone has denied some or all permissions, it may pass them back through the login flow once and request any required permissions. However, this is a poor experience and should be avoided if possible. If someone is actively choosing not to grant a specific permission to an app they are unlikely to change their mind, even in the face of continued prompting.
If a person declines the login dialog have a clear and upfront explanation about why you are requesting each permission. Then let them click or tap to opt back in to the permission request dialog. Do not immediately redirect them into a permission request dialog without an explanation.
If someone has declined a permission for your app, the login dialog won’t let your app re-request the permission unless you pass auth_type=rerequest along with your request.
For cases where someone has granted some permissions but not others, only prompt for missing permissions at the point at which they are needed. For example, if your app posts stories to Facebook, only request publish_actions when they ask to publish a story.
Unless the permissions you are requesting in the login dialog are critical to the functionality of your app and a feature doesn’t work without them, let people continue using your app without the permissions.
