Just tried to setup a custom dashboard for my wife today.
It’s totally crazy that HA doesn’t have this. Maybe the simpler way would be to integrate an external open source RBAC system.
As a first approach, maybe with “little” functionality you can achieve lot of cases:
Device Access (maybe entity): so you can set who has access to what at a level device. Just make the system ignore the devices (and it’s entities) the user has no access to. You can do a lot with this.
Panel access: if you can’t access a panel, it’s not even shown in the sidebard. It would need some special options for hiding the default items like Map, Registry, History and media.
You can go much deeper (services, read/write permissions, location based permissions, etc.), but I would consider these two things can make a good first version.
Full disclosure: I work for Okta, which owns Auth0, but I’m not getting any special perks, just using a normal dev account.
As a fairly senior dev who works on IdPs for a living, I wouldn’t trust some dude’s side project to manage authn for me, even if I’m that dude. Again, it doesn’t have to be auth0, with a little bit more work it could be any OIDC SSO provider, including self-hosted ones (e.g. Keycloak).
Not sure what some of you are suggesting with external systems, but really hope it doesn’t end up being something that requires the cloud and I don’t want to have to host anything else for it either.
Personally all the functionality I need is the same as what the media player Jellyfin offers. A username and password and each user has their own things they can access and their own database of how they have interacted with said things.
My answer was specific to the case were you want a user to be able to access HA only from home.
I wasn’t answering the main thread.
The issue with HA today is that is was made by developers for developers, they did a lot to make HA more user friendly but there’s a lot of work to be able to give access to it for non techy end user.
Thus yeah, we need BRAC, if there’s security features and a API key pair instead of email/password for cloud it will let integrator use HA at their clients home, hotels or office
I also need this. Use case - external zigbee coordinator at a cabin (through vpn). Need to give cabin “admin” access to some stuff there, and cabin guests access to some (but less) stuff there.
They can absolutely not have full access to the whole HA instance.
For now I need to run a separate HA instance just for this.
I don’t know if this is helpful, but I wanted to +1 this. Without RBAC things can get… well, very awkward. What can we do to move this along? I’d be happy to help with the dev effort, even.
Then look to see what the state of this is now. Once you have a good idea of how things work, then I think it would be a good idea to open a discussion in the architecture repo with ideas you have about implementing this and see what the response is.
So there’s been what I’d consider a fairly significant addition to the kiosk-mode custom component via this PR:
It allows you quite a bit of control to hide different aspects of the more-info dialogs. While not full-on RBAC, this gives the kind of control I’m looking for to lock down what the user can access via the UI, so I thought I’d share it here in case someone else finds it useful.
In my case, if I want to control what a non-admin user can do with HA, I add what I want to their dashboard and use these settings:
This prevents them from going anywhere other than that one dashboard (via UI controls). Check out the newly added settings in the PR and see if it works for you.
Great! Thanks for the news!
Is there a way to do this if one user has to have access to two dashboards?
Other question, can it be done for a user whose dashboard is not the default one?