How is it possible that, in 2024, HA still has no mechanism to control, per entity, who is allowed to view or modify the state of entities? Same for actions! Arguably even the appearance of the existence of entities, and event monitoring, should be controllable.
I would like to be able to have my guests have their own dashboards, but they should not be able to change entities other than the ones I designate as changeable by them. Without access control, they can just open the web inspector and run whatever they want.
EDIT:
Ideally, there would be an interface that allows the administrator to add/remove entities (preferably with view+change or just view option) to a role. We already have something similar in the Voice assistant “expose to assistant” dialogs.
“Change” in this context also implies calling a compatible action, with that entity as a target, where the entity state will change, and “view” implies calling a compatible action that doesn’t change the state of the entity.
Then roles can be assigned to specific users.
Functionally, any entity not viewable by the user would be filtered out of the websocket/API for that user. Actions invoked on entities not in the users’s role set of entities would error out with either a permission denied error or act as if the entities don’t exist. This filtering automatically implies that logbook/history don’t show unviewable entities, and dashboard-initiated actions don’t change entity state for unchangeable entities.
Eventually the same mechanism can be extended to individual dashboards.