• State Not Answered
  • Replies 4 replies
  • Subscribers 74 subscribers
  • Views 67 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 345683
Options

How to enable CHIP_CONFIG_USE_ACCESS_RESTRICTIONS in Matter Config

Dot2dll
The Matter stack’s auto-generated file `access_buildconfig.h` explicitly sets `CHIP_CONFIG_USE_ACCESS_RESTRICTIONS` to `0`, overriding my attempts to enable it. This prevents me from enforcing access control in my application. 

Could anyone recommended method to enable CHIP_CONFIG_USE_ACCESS_RESTRICTIONS and similar flags in the nRF Connect SDK? Specifically:

  • Is there a Kconfig symbol or build argument to enable this?

  • Are there plans to expose these flags in the SDK’s configuration system?

  • If manual overrides are required, how can I ensure they persist across clean builds?

Parents
  • 0

    Hello,

    This prevents me from enforcing access control in my application. 

    What form of access control are you after?

    I am asking because there are some Matter samples in nRF Connect SDK which has the access control cluster enabled by default, i.e. the light bulb sample. See the usage here in the sample documentation.

    Is this what you are after?

    Best regards,

    Maria

  • 0 in reply to Maria Gilje

    Hi Maria,

    Thanks for your response.

    My project is based on the light bulb sample with some customizations to the ZAP configuration. Specifically, I’ve enabled the ReviewFabricRestrictions command within the AccessControl cluster.

    However, during a pristine build, I encountered the following linker error:

    /ncs/v3.0.0/nrf/samples/matter/light_bulb/src/default_zap/zap-generated/IMClusterCommandHandler.cpp:58: 
    undefined reference to `emberAfAccessControlClusterReviewFabricRestrictionsCallback(...)`
    collect2: error: ld returned 1 exit status

    Upon investigation, I found that the function emberAfAccessControlClusterReviewFabricRestrictionsCallback is conditionally compiled inside access-control-server.cpp, guarded by #if CHIP_CONFIG_USE_ACCESS_RESTRICTIONS.

    The issue is that CHIP_CONFIG_USE_ACCESS_RESTRICTIONS is set to 0 in the auto-generated access_buildconfig.h file, which prevents this feature from being included during compilation.

    I’m trying to find a proper way to enable CHIP_CONFIG_USE_ACCESS_RESTRICTIONS (and potentially similar flags) so that the access control functionality works as expected. Is there a supported mechanism (e.g. Kconfig option, build flag, or CMake override) to set or override this macro persistently—even across clean builds?

    Any guidance would be appreciated.

    Best regards,

  • 0 in reply to Dot2dll

    Hello,

    Thank you for sharing more details on your application. I have reproduced this error now, and found that the reason that CHIP_CONFIG_USE_ACCESS_RESTRICTIONS is set to zero is because chip_enable_access_restrictions is set to false in access.gni. I was able to build successfully by setting chip_enable_access_restrictions to true in access.gni, but I don't recommend doing this for other purposes than testing because all applications which enables access control clusters are using that file. That is -- unless you have found a bug and that file will be changed regardless. I am not sure what the intended value for chip_enable_access_restrictions is, so I have requested a clarification internally.

    Note that I just verified that I was able to build, and I don't know if the device functionality is correct.

    I will be back with more information once I get a reply to my internal questions.

    Best regards,

    Maria

  • 0 in reply to Maria Gilje

    Hello,

    The feedback I got internally is that the access restriction feature is not implemented in nRF Connect SDK now. You don't have to make any big changes to get the missing files included, but it does require you to edit the files in the SDK. Here is a way to do this without accidentally including the access restriction code when it is not explicitly needed:

    1. Create a Kconfig symbol (i.e. CHIP_ENABLE_ACCESS_RESTRICTIONS) which defaults to 'n' in ncs\v3.0.0\modules\lib\matter\config\zephyr\Kconfig
      config CHIP_ENABLE_ACCESS_RESTRICTIONS
	bool "Enable Access Restriction support"
	default n
	help
	  Enables Access Restriction support for the Access Control cluster.
    2. In ncs\v3.0.0\modules\lib\matter\config\nrfconnect\chip-module\CMakeLists.txt in the area where other Matter GN arguments are added, enable chip_enable_access_restrictions conditionally on the Kconfig symbol:
      if (CONFIG_CHIP_ENABLE_ACCESS_RESTRICTIONS)
    matter_add_gn_arg_bool("chip_enable_access_restrictions" TRUE)
endif()
    3. In prj.conf for applications with the Access Restrictions command, enable the symbol: 
      CONFIG_CHIP_ENABLE_ACCESS_RESTRICTIONS=y

    Let me know if you have any issues with the above method. I did not test it, but I successfully built the light_bulb sample with the ReviewFabricRestrictions command enabled.

    Best regards,

    Maria

Reply
  • 0 in reply to Maria Gilje

    Hello,

    The feedback I got internally is that the access restriction feature is not implemented in nRF Connect SDK now. You don't have to make any big changes to get the missing files included, but it does require you to edit the files in the SDK. Here is a way to do this without accidentally including the access restriction code when it is not explicitly needed:

    1. Create a Kconfig symbol (i.e. CHIP_ENABLE_ACCESS_RESTRICTIONS) which defaults to 'n' in ncs\v3.0.0\modules\lib\matter\config\zephyr\Kconfig
      config CHIP_ENABLE_ACCESS_RESTRICTIONS
	bool "Enable Access Restriction support"
	default n
	help
	  Enables Access Restriction support for the Access Control cluster.
    2. In ncs\v3.0.0\modules\lib\matter\config\nrfconnect\chip-module\CMakeLists.txt in the area where other Matter GN arguments are added, enable chip_enable_access_restrictions conditionally on the Kconfig symbol:
      if (CONFIG_CHIP_ENABLE_ACCESS_RESTRICTIONS)
    matter_add_gn_arg_bool("chip_enable_access_restrictions" TRUE)
endif()
    3. In prj.conf for applications with the Access Restrictions command, enable the symbol: 
      CONFIG_CHIP_ENABLE_ACCESS_RESTRICTIONS=y

    Let me know if you have any issues with the above method. I did not test it, but I successfully built the light_bulb sample with the ReviewFabricRestrictions command enabled.

    Best regards,

    Maria

Children
No Data
Related
Terms of service