I have implemented Home Assistant in a multi-family house. There is a single instance of Home Assistant that all tenants can access. Each apartment has its own dashboard, and using kiosk mode and permissions on the pages, I have restricted the rights.
So far, everything was going well.
Until…
one tenant had the idea of downloading the Home Assistant app.
When they set up a new widget on their iPhone and select Home Assistant, they gain access to all restricted areas. They can control the heat pump or open the neighbor’s front door.
Home Assistant has no Role Based Access Control (RBAC) so you’ll never get that safe. Certainly not with locks to multiple apartments. Most likely the kiosk mode tablets will also be able to access wrong things if hou have users that know their way around HA and its shortcuts.
Separate HA instances is the way to go, with a central one for you, connecting things trough mqtt or something similar.
Thank you, Edwin_D, for your feedback. I had already suspected this. For my four units, I would need to run four Home Assistant instances as well as a caretaker instance. I would set this up on a Proxmox server.
MQTT instance + 5 HA VMs. Does it make sense to set up Zigbee2MQTT as an LXC container in this case? I probably shouldn’t use the Zigbee integration, as otherwise all Zigbee entities would end up in the HA VMs again. Has anyone already installed it this way? I would appreciate feedback.
Yes, the MQTT middleman gives you more flexibility, but if five HA instances are sharing a single MQTT server then by default they will all auto-discover the same devices.
One workaround is to disable autodiscovery in Z2M and manually define all your mqtt entities in YAML, but depending how many you need that could be time-consuming.
A better option would be to have each HA instance login to Mosquitto as a separate user so you can define ACLs for each instance to only have access to the topics for devices they need.
Edited to add — to answer your other question, with five HAOS VMs only one would need the Z2M and Mosquitto add-on, the other four would point their mqtt integrations to that IP.