Pure-function ACL engine for Matter access control.
Evaluates whether a given subject/fabric has sufficient privilege for a requested operation on a target. No state — just pattern matching.
Summary
Functions
Check whether the given context has sufficient privilege for the target.
Return the minimum privilege required for an IM operation.
Return the privilege required to write a specific cluster's attributes. The Access Control cluster (0x001F) requires Administer privilege.
Types
@type acl_entry() :: %{ privilege: 1..5, auth_mode: 2 | 3, subjects: [non_neg_integer()] | nil, targets: [map()] | nil, fabric_index: non_neg_integer() }
@type auth_mode() :: :pase | :case | :group
@type context() :: %{ auth_mode: auth_mode(), subject: non_neg_integer(), fabric_index: non_neg_integer() }
@type privilege() :: :view | :proxy_view | :operate | :manage | :administer
Functions
@spec check( context(), [acl_entry()], privilege(), {non_neg_integer(), non_neg_integer()} ) :: :allow | :deny
Check whether the given context has sufficient privilege for the target.
PASE sessions always get implicit admin access (bypass ACL). CASE sessions are checked against the ACL entries.
Return the minimum privilege required for an IM operation.
@spec write_privilege(non_neg_integer()) :: privilege()
Return the privilege required to write a specific cluster's attributes. The Access Control cluster (0x001F) requires Administer privilege.