Restricting children’s access: script permissions

Dirk2.0 · January 18, 2026, 9:55am

I created a separate account for my children and assigned them their own Lovelace dashboard.
Recently I discovered that it’s also possible to set permissions per card. That made me wonder whether it would be better to duplicate an existing Lovelace dashboard and simply remove certain buttons (cards) instead.

However, I’m a bit confused about permissions:
Is it true that every user can still trigger all scripts (for example via iOS Shortcuts), including the children’s accounts?

I’d like to understand the best practice for restricting access properly.

Thanks in advance!

NathanCu · January 18, 2026, 12:07pm

You aren’t confused. Yes they can.

There is no RBAC in Home assistant. Once they are authenticated they can do basically anything.

Same exact answer as this Simplifying home assistant for family and restricting access to certain views - #7 by NathanCu

Best practice is a good long talk with the kids about acceptable use and what you’re going to do if you catch them messing around with the system and hounding dev for RBAC…

You can add things like kiosk mode from HACS and hide endpoints. But remember at the end of the day. It’s open to all authenticated users. If someone knows the url and is authenticated they get there… Treat it that way.

Dirk2.0 · January 19, 2026, 8:24pm

I have now solved it this way for scripts that are not allowed to be started by another person; in that case, you need to add your own User-ID. This works when I start the script directly or via a button. If the script is started via an automation, you need to add None, because the automation does not provide a User-ID.

I only use the Telegram message for debugging. In that case, it’s better to display the message as <code>, so line breaks are rendered correctly.

alias: "Alleen voor mij uitvoerbaar script"
sequence:
  - if:
      - condition: template
        value_template: "{{ context.user_id == '<User-ID>' }}"
    then:
      - action: notify.home_bot
        data:
          message: >
            Script uitgevoerd door geautoriseerde gebruiker!
            User: {{ context.user_id }}

      # the normal script

    else:
      - action: notify.home_bot
        data:
          message: >
            Ongeautoriseerde toegangspoging tot script!
            Script: {{ this.entity_id | replace('_', '\_') }}
            Alias: "{{ this.attributes.friendly_name }}"
            User: {{ context.user_id | default('onbekend / systeem') }}
            Tijd: {{ now().strftime('%H:%M:%S') }}

User-ID can be found in http://home.assistant:1234/config/users/

alias: "Alleen voor mij uitvoerbaar script en een automation"
sequence:
  - if:
      - condition: template
        value_template: "{{ context.user_id == '<User-ID>' or context.user_id is none }}"
    then:
      - action: notify.home_bot
        data:
          message: >
            Script uitgevoerd door geautoriseerde gebruiker!
            User: {{ context.user_id }}

      # the normal script

    else:
      - action: notify.home_bot
        data:
          message: >
            Ongeautoriseerde toegangspoging tot script!
            Script: {{ this.entity_id | replace('_', '\_') }}
            Alias: "{{ this.attributes.friendly_name }}"
            User: {{ context.user_id | default('onbekend / systeem') }}
            Tijd: {{ now().strftime('%H:%M:%S') }}