Re-opened. This is the Month of WTH. If this is the thing someone bothers, then that is fine.
This month is not just about low-hanging fruit, it is about letting the community speak their minds freely. We should not shut that down. Let the community speak, please.
I agree, HA needs the ability to add a guest user. Such a user would be given access to only one dashboard. On this dashboard, the guest could control entities, see the more-info window of these entities, but could not go to the devices from which these entities come. Also, going to the history of entities would not be possible for a guest user. The sidebar and keyboard shortcuts for searching should also be blocked for such a user.
I have basically everything on HASS and my family has access as well. Not having the ability to limit who can control what has the potential risk of them modifying everything else if they somehow break out of their own spaces and dashboards I gave them, as good as you can lock these down there isn’t much that prevents them from potentially going to all devices or breaking out of additional addons which put them into a kiosk mode.
+1 I am really hesitating to encourage my family members to use HA themselves as they will likely break things by mistake (as the UI is so powerful).
Configuring access permission to specific devices or specific entities (none, readonly, readwrite, full - including deleting it etc) will be huge
Without Access control HA is not suited for real-life family use. Is it really for just lonely enthusiasts?
Example real-life use case where HA fails:
I have 2 kids: 6 and 12yo, both are smart enough to poke around and find their ways around limitations.
I want my kids to use HA mobile app on their phones to control: Lights, thermostats, music in their rooms as well as request more hot water from Viessmann heat pump when they are about to take a bath.
I don’t want my kids to control anything in my office or bedroom or change other HA entities.
In addition to that I have set limits for when and how long the TV can be switched on. And when I turn it off it should stay off.
So I have created dashboards for my kids to use and all is nice until they click that pesky “search” button. Then search for TV entity and turn it on on their will. Or mess around with my lights at night, or … do kids stuff.
Access control should prevent the “what does this button do?” situation and keep Didi out of the Dexter’s lab.
Until then it’s a one man show only, unfortunately.
“3. Fine-grained privilege system. Example: the user logged in 7/24 on a wall mounted dashboard should not have access to all the entities, just those required for that particular wall panel. Basically an area/device/entity/service level read/write/execute privilege system.”
To put it into context: my Home Assistant beside many-many other things controls my house’s heating and hot water production. This means controling of a heat pump, a wood stove, an electric water heater, solar collectors, 6 electric valves, 4 pumps, 4 fan-coils with speed control installed for more than $30000.
If it’s not possible to do it in this WTH, at least add an option to reserve the Media, Logbook and History onyl for admin.
Other dashboards will be visible, but empty if the tab in the dashboard has limited visibility. Not the best, but it works,
It would definitely be nice to set visibility per entity. That said, I currently get around this by creating separate dashboards for each member of the family and setting the visibility for the dashboard appropriately.
Currently you can not secure your system correctly. You can make dashboards, remove the search and assist buttons via some hacks, but in reality your system won’t be secure. The backend behind the UI exposes all the data to the user logged in. And that’s a problem as it makes Home Assistant a single-user application.
Thank you Tom, I did know about it.
The problem is that for my wife, that uses only a smartphone, I set it up in the app, removing all the menus she doesn’t need, but my (teenager) sons were able to re-add the menus, or use another browser in a pc, and go through the logbook/history, find the brother’s light and turn it off.
HA is already the best home automation software out there, but the missing RBAC is a big, big bummer.
LOTS of people here in the forum requested that in the past 5 years, every year those posts did get a lot of votes - but unfortunately, nothing happened.
Maybe this year it will be different? I would very much welcome it!
All of the default / built-in dashboards should be able to be restricted to admin only. I understand that at least one dashboard is needed for a user of the system and as such the default Overview is fine. But allow us to make all of the other dashboards admin only.
I hesitate to give standard user accounts to anyone because of them getting access to dashboards that they shouldn’t have access to!
Dashboards that should be restrictable but are not:
Map (further inspection shows that this is now controllable but last WTH it wasn’t!)
Energy
Logbook
History
Calendar
HACS (if installed)
To-do lists (if installed)
The Media dashboard has at least one item on it that could be considered an admin, or privileged only section and that is the Camera section.
Basically, if a dashboard isn’t the Overview dashboard, then it should be something that can be configured to be admin only / manage being shown in the navigation pane. This includes dashboards added by integrations, they should be manageable for visibility from the dashboard settings page.