I have 2 main use cases.
id like to create a user for regular guests that only control things in certain areas of the house – roles per zones/areas if you will!
Id also like to help out some family members who have a few sensors or a smart garage door opener thats cloud based, and set it up in HA to make it more user friendly. Sure I could setup HA at their location but then i have to manage and maintain it.
The visibility settings for lovelace were a good start. I am able to restrict my kids from being able to see and control some things. But, they still see the link to node-red and esphome in the sidebar. That could lead to disaster if they ever decide to mess around in there.
Refining the access controls is a huge step towards big WAF points! Just imagine what we could be doing instead of training our users on what they aren’t allowed to touch!
While on this subject I have this use case which extends RBAC by including an ability to trust a remote ID.
Take the following situation, I know 3 people using HA to run their homes, they all have the HA client installed on their phones and while not wanting to give full access to each other would like to allow a trusted person with HA on their phone to have some access to their devices at some times of day.
Using some form of open ID trust would allow a user to see the bits they have rights to once that OpenID was trusted and assigned a role.
Also a “device” type account/role combination would be brilliant. I have a touch screen that logs in via browser as a console “user” and shows household data and settings.
The ability to require that account to see only the console user dashboard and the devices that it has rights to would be perfect.
Would love to be able to have different profiles like these examples. Have HA installed on kids tablets and took some work to restrict to one dashboard but my kids can still go into the settings and add other dashboards or other things.
I‘d love to have that as well. We are currently doing a small “smart-company” project which’d need exactly such kind of feature. Normal users should not be able to see all things going on in the logbook.
Hope something like this is coming in the near future.
When I put a long lived access token on a device, I don’t want for the device to be able to do anything with my HA instance. I want it to be able to perform a specific action [like toggle one switch] and nothing else.
We have authentication – but HA lacks any kind of authorization [permission managment].
If someone could help me a little bit with the current architecture of HA UI, we could add an existing open source session/rbac system to it, which could be implemented as “addon”, so only for those who want it.
I have an idea for such a system already…
Any body interested to join me?
I’m not sure about iOS since I don’t have any Apple devices, but my experience with normal user accounts on the Android HA app shows that all I see is the settings option for the app itself, not the whole system.
I’d like to vote for this one as well. The deeper I get into HA, the more use cases I think of, but RBAC holds me back from some of them - such as putting a tablet on the wall in the guest bedroom, or allowing the babysitter to install the app on her phone to control the lock on the front door or the garage door, or the same for the housekeeper that comes by once per week.
Lots of additional things that could be done if RBAC were possible.
I’m only a month into using HA, but I just discovered that this doesn’t currently exist, and it blows my mind. Here’s our use case:
My mother-in-law lives with us in an in-law suite. I’d like to give her access to her HVAC controls, her garage door, and a few other key things, but she absolutely doesn’t need to have access to the rest of my and my girlfriend’s information. All I wanted was to create a limited dashboard for her, but I’m already realizing it’s going to be incredibly difficult (impossible?) to meaningfully limit her in a way that isn’t easily undone.
It also means there’s no way in hell I’m doing what I had planned, and putting a tablet in the guest room, because my nerdy friends would have a field day with that one every time they visited.
I feel like RBAC is kind of like the foundation of a system that is meant to control a home, and therefore be interacted with by a variety of users who absolutely should not all be expected to qualify for the same level of access.