What approach can I take to give a group of people access to HA?

The computer I’m currently using is setup to clear out login information every time the browser is shut down. This is a security measure because this particular user account is the generic volunteer account, so we don’t want people to forget to logout of their email, for example.

As a result, any time we try to access Lovelace after shutting down the browser, we’re prompted to login.

Is there a way to authenticate this machine permanently in HA?

If it has a fixed IP you can use the trusted networks authentication provider so that people can click through without authenticating.

That of course means that anybody on that computer can access HA, without authentication.

Trusted networks: https://www.home-assistant.io/docs/authentication/providers/#trusted-networks

Doh. Too slow.

Ahh…yes. Derp. I’m using the custom header integration for Lovelace. Will the trusted networks feature affect its ability to restrict content based on the user?

Depends on how you set it up :wink:

You can either force it to log in as a single user, or allow folks to pick who they’re connecting as.

On a shared system this is a massive security issue, you’re allowing anybody to manage your HA instance.

I’ve enabled custom header and everything is hidden except a few controls using user exceptions. How is that a security issue?

You can trivially bypass CH by adding ?disable_ch to the URL.

If you’re giving people access only to a non-admin user there’s less of an issue, but anybody on that PC can connect to HA and interact with it as that user. They can do anything that user can do, and right now there’s very little limitation on what people can do.

Ahh yes, these are all very valid points. Thanks for the reminders.

At this point, HA only serves two purposes for us.

  1. We use NodeRED to call a URL that triggers our lighting system to turn on or off the house lights and…
  2. Sanctuary thermostats.

That’s all we have currently for integration into our systems here. So at this point, I’m not terribly concerned with whether or not someone can get to the system…

And the likelihood of that happening anyway is less than 1% since nobody here has a clue about HA or I.T. stuff. ;).

Good to know though. I wouldn’t want to integrate a security system with it in this environment.