# Access Control

<a href="http://35.236.121.59/hub/user-redirect/git-pull?repo=https%3A%2F%2Fgithub.com%2Fproject-chip%2Fconnectedhomeip&urlpath=lab%2Ftree%2Fconnectedhomeip%2Fdocs%2Fguides%2Frepl%2FMatter%2520-%2520Access%2520Control.ipynb&branch=master">
<img src="https://i.ibb.co/hR3yWsC/launch-playground.png" alt="drawing" width="130"/>
</a>
<br></br>

This document explains how to use Access Control in Matter, and will be updated as development proceeds.

## What Does and Doesn’t Work Right Now?

Briefly, you can read and write the entire ACL attribute in the all-clusters-app, but Access Control isn’t yet turned on, so it won’t affect interactions. There’s almost no error checking when writing the ACL attribute (e.g. ensuring subjects match auth mode, only your fabric can be written, etc.) so exercise caution for now.

## Clear Persisted Storage

Let's clear out our persisted storage (if one exists) to start from a clean slate.

In [7]:
import os, subprocess

if os.path.isfile('/tmp/repl-storage.json'):
    os.remove('/tmp/repl-storage.json')

# So that the all-clusters-app won't boot with stale prior state.
os.system('rm -rf /tmp/chip_*')

## Initialization

Let's first begin by setting up by importing some key modules that are needed to make it easier for us to interact with the Matter stack.

> **NOTE**: _This is not needed if you launch the REPL from the command-line._

In [8]:
import chip.native
import pkgutil
module = pkgutil.get_loader('chip.ChipReplStartup')
%run {module.path}

New FabricAdmin: FabricId: 1(1)


Allocating new controller with FabricId: 1(1), NodeId: 1


## Commission and Setup Server

### Launch Server

Let's launch an instance of the `chip-all-clusters-app`.

In [9]:
import time, os
import subprocess
os.system('pkill -f chip-all-clusters-app')
time.sleep(1)

# The location of the all-clusters-app in the cloud playground is one level higher - adjust for this by testing for file presence.
if (os.path.isfile('../../../out/debug/chip-all-clusters-app')):
    appPath = '../../../out/debug/chip-all-clusters-app'
else:
    appPath = '../../../../out/debug/chip-all-clusters-app'

process = subprocess.Popen(appPath, stdout=subprocess.DEVNULL)
time.sleep(1)

### Commission Target

Commission the target with a NodeId of 1.

In [10]:
devCtrl.CommissionIP(b'127.0.0.1', 20202021, 2)

2022-01-29 16:01:43 johnsj-macbookpro1.roam.corp.google.com chip.SC[9915] ERROR The device does not support GetClock_RealTimeMS() API. This will eventually result in CASE session setup failures.


Node address has been updated
Commissioning complete


## Bootstrap ACLs

(For now) normally after commissioning there would be at least a single admin entry, but currently the ACL will be empty, so add that entry manually. This step will be removed later when it’s no longer necessary.

In [11]:
await devCtrl.ReadAttribute(2, [ (0, Clusters.OperationalCredentials)], True)

In [5]:
acl = [ Clusters.AccessControl.Structs.AccessControlEntryStruct(
    fabricIndex = 1,
    privilege = Clusters.AccessControl.Enums.AccessControlEntryPrivilegeEnum.kAdminister,
    authMode = Clusters.AccessControl.Enums.AccessControlEntryAuthModeEnum.kCase,
    subjects = [ 1 ] ) 
]

acl

In [6]:
await devCtrl.WriteAttribute(2, [ (0, Clusters.AccessControl.Attributes.Acl( acl ) ) ] )

In [7]:
data = await devCtrl.ReadAttribute(2, [ (0, Clusters.AccessControl.Attributes.Acl) ] )
data

In [8]:
acl = data[0][chip.clusters.Objects.AccessControl][chip.clusters.Objects.AccessControl.Attributes.Acl]
acl

In [9]:
acl.append(Clusters.AccessControl.Structs.AccessControlEntryStruct(
    fabricIndex = 1,
    privilege = Clusters.AccessControl.Enums.AccessControlEntryPrivilegeEnum.kOperate,
    authMode = Clusters.AccessControl.Enums.AccessControlEntryAuthModeEnum.kCase,
    targets = [ Clusters.AccessControl.Structs.AccessControlTargetStruct(
        endpoint = 1,
    ) ] ) )
acl

In [10]:
await devCtrl.WriteAttribute(2, [ (0, Clusters.AccessControl.Attributes.Acl( acl ) ) ] )

In [11]:
await devCtrl.ReadAttribute(2, [ (0, Clusters.AccessControl.Attributes.Acl ) ] )