Access Managemеnt

Pavlo_Vovk · February 16, 2025, 9:29pm

Hello,
I’m having a problem using the HA application with my wife and children.
In order to prevent them from baking some devices, I wanted to make it so that without changing the UI yaml files, some users were prohibited from using the Switches on the UI
I tried kiosk-mode

Downloaded in from HACS
Added to configuration.yaml

frontend:
  themes: !include_dir_merge_named themes
  extra_module_url:
    - /hacsfiles/kiosk-mode/kiosk-mode.js?v=6.6.0

Added to ui-lovelace.yaml

kiosk_mode:
  user_settings:
    - users:  
        - "user1"
      disable_click: true
      disable_hold: true

No affect
Then I decided to go the other way
I decided to do it with the help of the automations

alias: Restrict All Switches Except Two for user1
description: Prevent user1 from toggling any switches except switch.test1 and switch.test2
trigger:
  - platform: state
    entity_id: switch.*
variables:
  allowed_switches: ['switch.test1', 'switch.test2']
condition:
  - condition: and
    conditions:
      - condition: template
        value_template: "{{ trigger.to_state.context.user_id == '8000e0414e25431aaa9671c8155d7245' }}"
      - condition: template
        value_template: "{{ trigger.entity_id not in allowed_switches }}"
action:
  - service: homeassistant.update_entity
    entity_id: "{{ trigger.entity_id }}"
  - service: persistent_notification.create
    data:
      title: "Access Denied"
      message: "You do not have permission to toggle this switch."
mode: single

What am I doing wrong?

Pavlo_Vovk · February 16, 2025, 9:39pm

alias: Restrict All Switches Except Two for user1
description: Prevent user1 from toggling any switches except switch.test1 and switch.test2
trigger:
  - platform: state
    entity_id: switch.*
condition:
  - condition: and
    conditions:
      - condition: template
        value_template: "{{ trigger.to_state.context.user_id == '8000e0414e25431aaa9671c8155d7245' }}"
      - condition: template
        value_template: "{{ trigger.entity_id not in allowed_switches }}"
variables:
  allowed_switches: ["switch.test1", "switch.test2"]
action:
  - service: switch.toggle
    data:
      entity_id: "{{ trigger.entity_id }}"
  - service: notify.persistent_notification
    data:
      message: "You do not have permission to toggle this switch."
      title: "Access Denied"
mode: single

is not working too

Nick4 · February 16, 2025, 9:41pm

Hi, what do you mean by that?

Maybe, this is a solution:

create separate profiles per user with limited permissions
create separate dashboards per user
set the default dashboard for the user
use kiosk mode so they can only use what you allow

Ildar_Gabdullin · February 16, 2025, 9:45pm

A non-admin user still can open some entity either from Settings->Entities (or from “Search”) & play with switches etc.
So, we may try to protect dashboards only (in some extent).
If you wish to disable a possibility to change switches from dashboards (sometimes it is easier than creating ANOTHER dashboards for other users) - you may try these alternatives:

card-mod to disable toggle buttons for particular users (here) - this is an example for Entities card, but same approach may be used for buttons;
restriction-card (here)

Also, you may create all switches (for all users incl. you) “not toggleable”:

and then you will have to use more-info for toggling them, but it works only for Entities card.

P.S.
I do not think this is correct - wildcards not allowed:

    trigger:
      - platform: state
        entity_id: switch.*

Try with smth like this (you will have to list all your 100500 switches):

      - platform: state
        entity_id:
          - switch.test_switch_1
          - switch.test_switch_2
          - switch.test_switch_3
          - switch.test_switch_4
          - switch.test_switch_5
          - switch.test_switch_6

Pavlo_Vovk · February 16, 2025, 11:26pm

Let me try to explain.
For a long time, I was the only one working with HA, the rest was done by automation.
But now I decided that in some moments, when I’m not at home, to control some devices, I’ll give access to HA to other users on the network (configured in all VPNs, it will connect from anywhere in the world)
I’m from Ukraine, and my wife, just playing, pressed this switch )))

Translated - “server power” )))) Not just One server… power of all rack mount )
So I was lucky to have some switches turned off
Therefore, I thought about how to turn off some switches for certain users without changing the yaml code for the UI.
It’s not easy to rework 10 tabs with a bunch of entities.

Pavlo_Vovk · February 16, 2025, 11:28pm

Disables some list as minimum

Pavlo_Vovk · February 16, 2025, 11:28pm

ohhh… I can’t use the * (regexp)?

Ildar_Gabdullin · February 16, 2025, 11:37pm

If these tabs contain mostly Entities card - reworking them means adding this line:

type: entities
entities:
  - entity: switch.xxx
    name: xxx
    card_mod: !include ...... # THIS

and the included yaml file will contain card-mod code to restrict an access.
I would choose THIS way (and then hope that nobody will manage to access more-info).

Alternatively this may be done by a card-mod-theme:
– create a custom theme with needed “restriction” code;
– apply this theme on any client;
– but any user may change a theme to default → all restrictions are gone.

If you mean “need to protect just SOME switches” - then list only these switches in that automation.

Tested the automation a bit.
It toggles switches back.
But they seem to be changed anyway for moment - look at small gaps for ## 3, 4, 5:

Pavlo_Vovk · February 16, 2025, 11:51pm

Thanks, I have all the “critical” switches in the entity cards
All catom cards are more for display but not for control.

As for the list, thank you too, I realized that I just need to list what is impossible
I also realized that I just need to list specific switches in my automation.

action:
  - service: homeassistant.update_entity
    entity_id: "{{ trigger.entity_id }}"
  - service: persistent_notification.create
    data:
      title: "Access Denied"
      message: "You do not have permission to toggle this switch."
mode: single

or

action:
  - service: switch.toggle
    data:
      entity_id: "{{ trigger.entity_id }}"
  - service: notify.persistent_notification
    data:
      message: "You do not have permission to toggle this switch."
      title: "Access Denied"
mode: single

Pavlo_Vovk · February 16, 2025, 11:55pm

I see…
need to change the UI… automation is not a way

Ildar_Gabdullin · February 16, 2025, 11:58pm

I place critical things inside restriction-card.

Pavlo_Vovk · February 17, 2025, 12:01am

toggle is enabled? and can be changed?

Ildar_Gabdullin · February 17, 2025, 12:02am

The red stripes mean “protected”.
Nobody can access the card (PIN code is required).
Google restriction-card.

As I said - there are 2 ways.

Pavlo_Vovk · February 17, 2025, 12:05am

This one?

Ildar_Gabdullin · February 17, 2025, 12:06am

correct, this card
Just issued a new version today.

Ildar_Gabdullin · February 17, 2025, 12:11am

Well, you may use a card-mod way as was suggested:
asdfre
But imagine a situation when you are away & cannot access a server, but your wife does have an access - but she cannot reach the toggle button since it is disabled for her. In case of a “restriction-card way” you may just tell her a PIN code.

Pavlo_Vovk · February 17, 2025, 12:18am

Thank you, it’s probably the right decision to use protected cards instead of completely restricting access to certain items.
I haven’t used these cards yet, but I’m sure it’s not that complicated.)
In any case need to refactor yamls )))))
Thanks again.

Ildar_Gabdullin · February 17, 2025, 12:20am

And once again - users still may have an access to more-info, either via Settings → Entities or “search”. (you can disable these menu items for users though…)

Pavlo_Vovk · February 17, 2025, 12:21am

these fucntions already disabled )