There should be a formal process that includes a security review that determines what permissions an application will be allowed.