Hello,
I was wondering if it is possible to hide the search button from dashboard because with it, every users can run automations, turn them on or off, even if it’s a limited user…
Thanks
8 Likes
Forget to say that users are not administrators.
This is a major security failure !
1 Like
There’s a #feature-requests for this somewhere, don’t believe it’s been implemented yet.
Although fyi in case you’re not aware, typing ‘e’ on any page launches the same quick search bar and has for a long time. The button is new, the feature is not and all users have always been able to do that. Anyone can also type ‘c’ and launch the command bar to do things like reload integrations, run scripts, go to particular settings pages, etc. And any user can use the HA API as well which lets you do literally anything the UI can.
So this isn’t really a security issue, hiding the button is security by obscurity at best. HA simply isn’t designed to be used in a multitenant model. Only give access to people you trust.
Well it’s very disappointing…
How can i give an access of their room controls to my kids ?! If they can easily broke my configuration ?!
I don’t understand… every software with users has hierarchy of privileges.
You make a great point. I don’t think security or much of a permissions model has been worked on in HA. There isn’t much of one when creating new users either. Seems users creation is simple access to login and see certain items.
Buy a ZigBee remote.
If they are old enough, tell them to not touch the configuration
Upvoted. We need this ASAP. This button defeats the purpose of any security if anyone can use kiosk-enabled tablet to browse through all entities and control them.
I would not call a security issue, but it sucks that any user can turn on/off every single entity in HA, imagine the implications turning on or off a virtual flag helper in a complex smart home. Hope this is solved soon.
With HA not having any decent user management / privilege management in the first place i went through browser mod to manage this - only to then find out that the search function allows ANY user to access EVERY entity and control it. This is a complete joke. The whole topic of User management / Security / User privileges needs to be adresse ASAP, else HA is completely unusable for anything but a single-person household with no social contacts.
1 Like
That’s what i said… 
1 Like
I ended up hiding the header bar (and sidebar) with browser-mod, rebuilding the complete navigation with button cards and hiding some of these cards for certain users by condition. Super complicated to do and adding/removing users will be a nightmare. Its absurd, really.
But even like this any user can access any view if they have the direct URL. Even if you hide them in the view settings! So while this solution works on a UI level, there is absolutely zero security, meaning that HA cannot be used for anything even remotely security-relevant until this is fixed.
1 Like
I use Browser Mod to hide the sidebar for my public-ish user tablet.
And kiosk-mode (HACS / GitHub - NemesisRE/kiosk-mode: 🙈 Hides the Home Assistant header and/or sidebar) to hide Search/Assistant/Edit for my user tablet in the header bar.
This can be done globally using the Raw Configuration Editor and on the very top (just below title:)
kiosk_mode:
user_settings:
- users:
- Tablet
hide_search: true
hide_assistant: true
hide_overflow: true
hide_edit_dashboard: true
With that I don’t need to use Browser Mod to hide the entire header as I still want to provide access to the standard navigation bar.
This does the trick for me, but obviously proper permission management is not just a nice to have, it’s a must-have in terms of security.
I was initially really excited about integrating custom devices into Home Assistant, especially with the MQTT functionality and more. The ability to connect and control my IoT devices was a major selling point!
However, my experience has been soured with the default “Overview Dashboard,” which offers NO user restrictions for non-administrators, allowing them to activate or deactivate sensitive devices.
Furthermore, the addition of a “Quick Search” with no functionality to remove or disable it, granting access to ALL DEVICES AND MORE!!!??? Why?! This lack of flexibility in user management and UI customization severely limits the platform’s usability.
As a result, I will be disposing of the product due to the inability to effectively manage access and the intrusive nature of the “Quick Search” and “Overview Dashboard”.
I also do not like this implementation, I’m sure theres a reason for it, but I can’t think of one.
Accessing even helpers that work as flags/variables can broke automations logic. Hope they make this configurable.
In 2024 they changed and dont allow normal users to reboot or restart anymore, I hope HA is leaning into a more hierarchical user structure with clear limitations.