Read Only Access to Dashboard

AndyN · June 10, 2021, 9:58pm

Hi

I would like to set up read only guest access to view the dashboards I have created. I have remote access via Nabu Casa so unique url is sorted , but I only want guest users to see the dashboard, no side bar or access to make changes,

I created a user without admin rights but when I log in I can use the side bar to navigate to other dashboards and start up media players etc

So is there a way to control what a user can see but also control various entities? some form of RBAC model would be ideal?

Thanks in advance

Andy

tmjpugh · June 10, 2021, 10:04pm

Yes

Create sensors that show what you want them to see and place that in tabs that they can access

Don’t provide access to other tabs

AndyN · June 10, 2021, 10:28pm

Ok thank you … not too sure how to do that , but I’ll have a go once Ive sorted out an issue where HACS wont load with error: config flow could not be loaded …

All since I did the latest update to core

tensiondriven · May 9, 2022, 5:24pm

This doesn’t sound right to me; i think @tmjpugh meant to say “Create cards that you want them to see”, not “Sensors”. The card would have to restrict access. I’m trying to do something similar (trying to expose a camera feed through Nabu Casa anonymously) and haven’t sorted out all the moving parts yet, but it appears that you an use trusted_networks and a specific user for anonymous access.

asetGem · May 21, 2023, 8:03pm

Hi!
I’d like to do a dashboard for my guests, so that they can access it, but not modify nor access to any other entity.
I created a new user and, in config/.storage/auth replaced system-user by system-read-only.
I also use the browser mode (GitHub - thomasloven/hass-browser_mod: 🔹 A Home Assistant integration to turn your browser into a controllable entity and media player) to hide side bar, so that they can’t see the other dashboards. It works well: the user can only see the dashboard he is supposed to.
However, if he knows the url (add ?edit=1 after the dashboard name), then he can modify the dashboard, add cards, and thus control all entities!
Is there a possibility to fully prohibit access?
It works with the dashboards: if I set visibility to false for a user, then, when he tries to go to the url, he has a access denied and can’t see the page.
I was expecting the same behavior for editing a dashboard, which is even more “dangerous” as the user can do whatever he wants!
Any suggestion ? Thanks !