4. ACL Visualization
When constructing the ACL graph, Neo4LDAP employs a path selection algorithm designed to extract the most relevant privilege escalation paths. This is essential not only for improving graph clarity, but also to meet a fundamental structural requirement: maintaining a Directed Acyclic Graph (DAG).
Rendering all possible paths would quickly lead to an unreadable graph and introduce cycles.
Neo4LDAP uses a scoring system based on weighted ACL types to determine the most appropriate paths to retain in the final outbound graph. These weights can be modified through the graphical interface in the ACLs view using the weights button.
⚠️ Warning: It is advisable not to use excessively wide ranges of values between ACEs, as this could result in a less accurate calculation of the best path.
Additionally, if a node has multiple ACLs pointing to the same target node, only the ACL with the highest assigned weight is considered for path evaluation. This avoids redundancy and helps maintain consistent scoring logic.
The algorithm selects the "best" path between two or more candidates according to the following logic:
- Paths with a higher average ACE weight are preferred.
- If equal, the path with the fewer total ACE Jumps is preferred
- If still equal, the path with the higher minimum ACE weight is preferred
This tiered approach ensures the selected paths are both meaningful and minimal, balancing privilege depth with graph simplicity. Once the optimal graph has been formed, all relationships that were not selected as optimal are treated as Shadow Relationships. These are added to each node as a new attribute, which can be queried through the graphical interface:
