WTH no access control

tom_l · December 2, 2024, 1:57am

This already exists. See: https://community.home-assistant.io/t/how-to-remove-entries-from-the-sidebar/453377/2

terba · December 2, 2024, 7:59am

Currently you can not secure your system correctly. You can make dashboards, remove the search and assist buttons via some hacks, but in reality your system won’t be secure. The backend behind the UI exposes all the data to the user logged in. And that’s a problem as it makes Home Assistant a single-user application.

eVolts · December 2, 2024, 11:03am

Thank you Tom, I did know about it.
The problem is that for my wife, that uses only a smartphone, I set it up in the app, removing all the menus she doesn’t need, but my (teenager) sons were able to re-add the menus, or use another browser in a pc, and go through the logbook/history, find the brother’s light and turn it off.

Pd66 · December 2, 2024, 12:53pm

+1 here, because of kids - they can hack the HA and control anything, even I limit dashboards visibility

Peeps · December 2, 2024, 12:56pm

I would like to have the ability to set a dashboard for a user, like so:

InventoCasa · December 2, 2024, 6:50pm

+1 from me.

HA is already the best home automation software out there, but the missing RBAC is a big, big bummer.

LOTS of people here in the forum requested that in the past 5 years, every year those posts did get a lot of votes - but unfortunately, nothing happened.

Maybe this year it will be different? I would very much welcome it!

micz · December 2, 2024, 8:58pm

You’re right Tom, I improved the description of the WTH.
Thank you.

tom_l · December 2, 2024, 9:11pm

Then this Is Roll Based Access Control for which there is already a WTH open. So I will merge your topic and votes there.

tykeal · December 3, 2024, 5:49pm

All of the default / built-in dashboards should be able to be restricted to admin only. I understand that at least one dashboard is needed for a user of the system and as such the default Overview is fine. But allow us to make all of the other dashboards admin only.

I hesitate to give standard user accounts to anyone because of them getting access to dashboards that they shouldn’t have access to!

Dashboards that should be restrictable but are not:

Map (further inspection shows that this is now controllable but last WTH it wasn’t!)
Energy
Logbook
History
Calendar
HACS (if installed)
To-do lists (if installed)

The Media dashboard has at least one item on it that could be considered an admin, or privileged only section and that is the Camera section.

Basically, if a dashboard isn’t the Overview dashboard, then it should be something that can be configured to be admin only / manage being shown in the navigation pane. This includes dashboards added by integrations, they should be manageable for visibility from the dashboard settings page.

ajma · December 4, 2024, 12:37am

I really need my kids to have access to some of the dashboards, but I really can’t give them access to the entirty of what is in the UI.

rickydg · December 4, 2024, 6:17pm

RBAC and GBAC should be considered for implementation. If doing one, makes sense to do the other at the same time.

Rpad · December 4, 2024, 6:53pm

I would be happy too with a limited access control. I’m not dreaming about users, groups, inherited rights etc. Just to have 2 levels of access control - All users, Admin Only. Admin only is only viewable and interactable by admins. I could solve most of my problems with that. Better is to have 3 levels. Best: having full ACL on every entity, dashboards, helpers etc (view, change status, full access like delete rename etc.)

petro · December 4, 2024, 8:01pm

Where did he say single guest account?

Vlayke · December 4, 2024, 8:50pm

I’d say that for me this is absolutely the 1st thing that should be on the to-do list for the HA team.

Ha went very, very far in recent years. It’s gone from a geeky, hobby kind of a thing where you need to tinker around with it semy-constantly to keep it working, to a fairly stable and robust system that I can trust to run my home environment. It even gained approval and some admiration from my spouse, which is amazing in on its own.

But, like multiple people before had said, it sadly misses a few things to make it a tool that can be safely deployed to all family members (maybe even some that are not part of direct household).

Ability to restrict who can see what (hiding entities)
Ability to restrict who can change what
Ability to define which user gets which dashboarsd and sidepanel items (similar, but not the same as 1st option)

Without those it’s a real risk to give access to HA to almost anyone. Not even necessarily because you don’t trust them to do something intentionally. It’s also that they could mess stuff up unintentionally, while honestly being curious and exploring things out of interest.

D0doooh · December 5, 2024, 10:12am

I share the same perspective as many others: perhaps it would be a good idea to start by introducing a “light” version. For instance, this could involve restricting users’ access to search/assist functions and limiting their use of dashboards.

While it’s true that an experienced user can bypass these limitations by customizing requests, such an approach would still provide a solid foundation—especially for scenarios like setting up a tablet for a child or guest. For me, that would be a meaningful first step.

ricarva · December 5, 2024, 2:42pm

This is probably the single most important core feature that is still missing.

Be it for guest access, or for kids (I want them to have the HA app on their phones for their convenience and for certain automations, but don’t want them to wreak havok on my setup), HA really needs this.

Dav-rnd · December 6, 2024, 8:52am

+1 here too.

I have kids with smartphones and want to be able to track their location in Home Assistant. So AFAIK the normal way to do this is to install the Home Assistant Companion App, but then I need to create HA user accounts for each of them to be able to log in the app.

And now they can access easily a ton of things they should not, as already described in other posts in this thread.

DISCLAIMER: Apologies in advance if something like this already exists, I have not search extensively!

IanRH · December 6, 2024, 10:01am

Exactly my situation too!

D0doooh · December 6, 2024, 10:36am

I have currently solved this by running a separate Home Assistant instance for each family member, connected via the Remote Home Assistant integration.

For each instance, I only share the entities that the respective person needs or is allowed to control. While this approach ensures privacy and tailored access, it is very time-consuming to set up and maintain, especially when it comes to updating add-ons and configurations across multiple instances.

In my opinion, this is currently the only viable solution.

dominikandreas · December 6, 2024, 3:28pm

this is actually a neat idea. I wonder if you could create an addon that just runs home assistant core and allows access to a list of entities that can be defined via configuration. that would probably solve 80% of the usecases and could be implemented in a fraction of the time that the “ideal” solution would require.