diff --git a/debian/rules b/debian/rules
index 0ff59d5..cb12d86 100755
--- a/debian/rules
+++ b/debian/rules
@@ -20,4 +20,6 @@ export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed
 
 
 override_dh_auto_install:
-	dh_auto_install -- prefix=/usr
\ No newline at end of file
+	dh_auto_install -- prefix=/usr
+	dh_installsysusers deepin-face.sysusers
+	dh_installtmpfiles deepin-face.tmpfiles
diff --git a/debian/sysusers b/debian/sysusers
new file mode 100644
index 0000000..6c8f626
--- /dev/null
+++ b/debian/sysusers
@@ -0,0 +1,10 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+#Type Name               ID                  GECOS              Home directory Shell
+u     deepin-face        -                   -
+m     deepin-face        video
diff --git a/debian/tmpfiles b/debian/tmpfiles
new file mode 100644
index 0000000..155202c
--- /dev/null
+++ b/debian/tmpfiles
@@ -0,0 +1,2 @@
+#Type Path                      Mode User        Group       Age         Argument
+f     /var/log/deepin-face.log  0644 deepin-face deepin-face -           -
diff --git a/msic/dbus-conf/org.deepin.dde.Face1.conf b/msic/dbus-conf/org.deepin.dde.Face1.conf
index 5e2bb9a..26f1da5 100644
--- a/msic/dbus-conf/org.deepin.dde.Face1.conf
+++ b/msic/dbus-conf/org.deepin.dde.Face1.conf
@@ -6,7 +6,7 @@
 <busconfig>
 
   <!-- Only root can own the service -->
-  <policy user="root">
+  <policy user="deepin-face">
     <allow own="org.deepin.dde.Face1"/>
   </policy>
 
diff --git a/msic/systemd/deepin-face.service b/msic/systemd/deepin-face.service
index 9f45caa..2dfc8d3 100644
--- a/msic/systemd/deepin-face.service
+++ b/msic/systemd/deepin-face.service
@@ -1,9 +1,39 @@
 [Unit]
 Description=Deepin Face Authenticate Driver 
 
+# Ask for the dbus socket.
+Wants=dbus.socket
+After=dbus.socket
+
 [Service]
-User=root
 Type=dbus
+User=deepin-face
 BusName=org.deepin.dde.Face1
 ExecStart=/usr/libexec/deepin-face
 
+ReadOnlyPaths=/usr/share/seetaface-models/
+ReadWritePaths=/var/log/deepin-face.log
+
+DeviceAllow=char-video4linux
+DevicePolicy=closed
+
+ProtectSystem=full
+ProtectHome=yes
+PrivateTmp=yes
+#PrivateDevices=yes
+PrivateNetwork=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+LockPersonality=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+
+[Install]
+Alias=dbus-org.deepin.dde.Face1.service