How to get an unstoppable automation or script?

pikim · July 29, 2024, 6:27pm

I have a multi-user instance and want to avoid that some users stop specific automations by using the logbook. How can I lock those automations or create an automation or script that cannot be stopped within the frontend? It would also be OK if it was just completely invisible in the frontend.

Nick4 · July 29, 2024, 6:33pm

Hi, non-admin users have no access to automations.

pikim · July 29, 2024, 6:50pm

As soon as the automation has been triggered it can be seen in the logbook. And there, non-admin users can disable it.

Sir_Goodenough · July 29, 2024, 7:05pm

I smell problems with adolescent hackers-2-b…

You could have another automation watch and if it’s stiopped, require a password and if not provided, just start it again. kinda thing

pikim · July 29, 2024, 8:27pm

Yes, kind of. Do you have a source for information about such kind of password protection? Unfortunately this 2nd automation can also be disabled through the logbook as soon as it’s being triggered, correct?

paddy0174 · July 29, 2024, 11:59pm

Disable the logbook for that specific automation, if that’s the problem. No entry, no disable…kinda…

logbook:
[...]
  exclude:
    entities:
      - automation.your_secret_automation

Nick4 · July 30, 2024, 12:07am

What about creating specific dashboards with only the allowed items in the sidebar?

paddy0174 · July 30, 2024, 12:18am

That won’t work as expected, I just checked. If you disable the entry for Logbook in the sidebar, you can still get there via “more-info” of an entity.

It’s getting interesting, how hard it can be, to lock some persons out.

pikim · July 30, 2024, 5:46am

It’s also about using the Android app and there the user can enable the logbook again without any problem.

It would already help if the logbook and history side bar items could be definitely hidden for specific users.

WallyR · July 30, 2024, 6:37am

Only reason an automation should be stoppable is because it is using a delay.
Change the automation to use a timestamp helper instead for when it should do next action.

Hellis81 · July 30, 2024, 6:48am

I agree with Wally, everyone is missing the elephant in the room.
Let’s see the automation first, then we speak about solutions.

pikim · July 30, 2024, 7:03am

The automation currently looks like this.

- id: block-user-access
  alias: Block user from switching off
  trigger:
    platform: state
    entity_id:
      - switch.custom_switch
    from:
    to:
  condition:
    - condition: template
        value_template:
        "{{ trigger.to_state.context.user_id == '3205ceba564d5b9e6de7231eca9e4a25'
        }}"
  action:
    - service: python_script.set_state
      data_template:
        entity_id: "{{ trigger.entity_id }}"
        state: "on"

When switch.custom_switch changes, the automation shows up in the logbook and from there it can be disabled.

Excluding the automation from the logbook or recorder works after a HA restart. But if there’s another way it would also be ok for me.

Nick4 · July 30, 2024, 8:19am

I agree that most likely all the answers are not a real, ‘hack-free’ solution.
It’s just that HA is not foreseen to this (yet)

He could built custom a dashboard where even the “more-info” option is not active.

No matter if it’s the desktop/browser to access or the android app: with a custom dashboard for these users you make it harder.

There you go (@paddy0174: was about to come with the same idea )

The problem is that the OP wants to prevent that someone can disable the automation so it does not run at all.

Hellis81 · July 30, 2024, 8:44am

Not sure if this is possible but I believe if you create the same automation in Node red then it will not be possible to disable it like that.
And you can password protect Node red.

Sir_Goodenough · August 2, 2024, 12:13am

It would be almost instant.
IE the one automation would be killed, this would notice and start it, then be hiding in the automation list . Of course it would be called livingroom light or something. and because this just triggers and ends, they can’t ‘kill’ it. It will just flip something that the other automation has a trigger for. Could even be it fires a weird event and there is a new event trigger on the one that needs to stay on. Events are even harder to track.

It could be found, but not easy to find or easy to intervene…

WallyR · August 2, 2024, 9:19am

Maybe a simple solution could be another automation that just reenables the first one constantly and if course named something that is not obvious to other users.
It might even be included in already automations running, so it does not appear as a new one.

Hellis81 · August 2, 2024, 10:03am

He already accepted one post as the solution.
But I was thinking something similar this morning.

Have five automations all triggering on this automation being disabled.
All these five automations have a for: with a random number of seconds (1-5 perhaps), and the action is to enable the automation in question and all five of the “reenable” automations.
It would be a nightmare trying to disable them all from the logbook