WTH no access control

And one of my best friends is Loki incarnate

My case: Friend is absolutely Loki incarnate. When she visits I have an automation that IDs her device tracker AND I shut off all the tablet panels running HA to ensure no access because I cannot GUARANTEE shes not going to do something dumb like turn off the water (ZWave valve) or half the breakers (two span monitored panels) or set the door message to German…

If I give her the panel and only lock out certain screens, she will pick apart the panel like a raven until she’s finds something that gets her to that next thing.

Too dangerous no access for you… So yeah I guess I did say I can’t secure it so you don’t get it.

Some would say get better friends. But nah.

@NathanCu I like your friends

@MissyQ I have several Airbnb properties. At present I do not provide any sort of ability for my guests to do anything interactive with the house. I want to put a touch panel in the properties to allow them to override the default heating schedule to something that works better for them instead of having to have them message me to modify the heating schedule (which I do remotely). The only other troubleshooting I currently do remotely is if the locks don’t properly program.

I’m the writer and maintainer of Rental Control which sits on top of Keymaster. I know from the stats that I’ve got 132 installations that are reporting back stats. Who knows how many don’t have stat reporting turned on. So, not exactly a significant number of folks using HA in this way but I’m sure there’s a lot more than are using my integration!

As I said, my desire is to put a touch panel at the properties. It would allow me to allow my guests to potentially change other parts of the smart automations I currently have in place as well without them destroying the system or getting into parts of the system that I absolutely do not want them to be part of (like my schedule for the sprinkler system) or the outside lights management, or the locks themselves!

I can’t trust putting a panel in at the properties without them better locked down. I’m doing a lot of careful work on designing the dashboards now and having to do a lot of browser_mod, card_mod, kiosk mode and using Fully Kiosk just to get it to a point where I have a hope that someone won’t find a way to escape the dashboard jail that I’m crafting. Putting access around everything would make this significantly easier for me!

I also want to make a panel available in my own home, but I have a very curious 5 (nearly 6) year old and I don’t want him messing with any of this stuff either. Especially since I have my spare bedrooms rented out via Airbnb as well, so I have a lot of locks (7 counting my office door) hooked up to my home HA instance, the thermostat and the sprinkler system.

Currently his only interaction with the HA system is via Google Home devices that only have some of the lights exposed.

Thanks for clarifying some of your use cases and why they are important to you! I understand that the main reasons are to avoid other people changing anything in HA, by accident or on purpose, and due to security concerns. Is that correct?

For Media, History, Logbooks, or wall-mounted devices in general, for example, is privacy in front of your other home members and guests also a reason you don’t want anyone to access specific areas, or is that less of a concern?

Completely ignoring the fact that iny install with over 6000 entities the logbook flies by so fast it’s useless (would take hours of work to clear things from recorder etc)

10000044531057×1355 152 KB

These blue links are the issue.

They take a person to a more info panel where they get ‘elevated’ privs.

You can one up one over to the device page and from there you’re pretty much anywhere.

Its 100%security

AND nobody has any business reading ot anyway it’s a diag tool.

And it should be off until I say so. (there’s similar cases with pretty much every icon on the side bar)

And Annika you’re talking to guys and gals who regularly get threatened with being fired for not being secure. Zero trust gets in our blood. This is a hill we WILL die on.

My kids (4yo and almost 6yo) are too young to have access to HA, but when they get their own phone, I wouldn’t like that they have easy access to all entities using the search button in the top title bar. It is a really convenient button right now for easy access to an entity, but it could become a PITA in the hands of children.

Thanks! Pointing out the specific issue is really helpful. Understanding that you deal with security at work, too, helps a lot in relating why it is a priority for you

I used to have a small old phone to control my entertainment system. All universal remotes companies have pretty much all died out. So a solution I came up with was to repurpose an old phone, giving people direct access to turn on Netflix (or any other app) from a single button click. These buttons did quite a bit, set lighting, set the TV to the correct source, turn on the sound system, and set the initial volume. Basically, think of a smart remote that only controls the entertainment system.

I did all this through a single HA and a single dashboard, and just had the mobile app installed on the phone. I had 1 party and my jackass friends started mucking with lights in other areas of the house “as a joke”. On top of that, they were snooping through the map card (Which shows location history). We have no way to control this currently.

I have to now hide the remote during house events, and I exclusively control the remote from my phone. Or they have to use a dumb remote and I have to explain how to turn on the TV.

So to sum everything I’ve said up: I do not want anyone using that remote to have access to any private information about my wife and myself. They do not need to see our location history, they do not need to see when we go to sleep, they do not need any of this information. They should not be able to configure anything, nor should they be able to access lights & devices outside the living room.

FYI, here’s the remote

IMG_53401170×2532 362 KB

Here are a couple scenarios where I could use better access controls:

Kids/teens. I don’t have any in my home, but I work for an elementary school, so I do have strong, but informed opinions here. They need to be locked down. They WILL ALWAYS explore their world and will attempt to circumvent naive security or security through obscurity (e.g hidden entities). They also have more free time than we do, and thanks to their internet-connected lives, news spreads fast. They’ll share what they know with each other. If we can’t effectively lock down certain users entirely, and only then add in exactly what they DO need access to, access to the home assistant app/web dashboards are a non-starter for kids.

Less-technical adult family. My mother, for instance. She recently stayed for an extended visit. I’d like to be able to say to her, “Here is a simple app with 5-10 buttons* . It’s set up just for you, so you can control your guest room lights, turn off/on all of the ‘standard’** house lights if you’re leaving/arriving and we’re not around, and change the thermostat a degree or two***, etc. You CAN’T mess anything up by using it.” Right now, I can’t sign her into Home Assistant because that’s not just not true. She could easily find her way into things that could have consequences for the rest of the household - for instance door locks**** and extended hvac controls. She gets frustrated by technology easily, doesn’t understand tech jargon, and frankly, neither of us want to spend our time together training and being trained on a platform.

I know I could create a dashboard that does most of the above for my mother and hide the rest of my more advanced home assistant functionality, but there’s too many ways for her to accidentally get into the wrong stuff (as others have mentioned already, there’s the entity/action search button, history, maps, and logbook, etc).

*(sliders, widgets, whatever)

** By ‘standard’ I mean: lights that are regularly on when people are home and awake - for instance porch, hallways, common areas. Yes I can automate this(and have for me and my wife), but my mother is a user who doesn’t want to be automated, she wants control over this herself, like it’s always worked her whole life.

*** I’m ok with someone like my mother changing the hvac up or down 1 or 2 degrees so she could make herself more comfortable. I wouldn’t want her to be able to switch it off entirely, change it from heat to cool mode, change the fan mode, etc.

**** She should be able to let herself in, but not be able to disable the lock entirely.

That is correct. Let me clarify the two points:

1. Avoid Unwanted Changes – right now, the UI is built as if the user of the dashboard is also the person who built and maintains the system. Many of us have dashboards for other users. The current Admin vs User structure does not sufficiently target the “Dashboard Only” use case.

2. Security Concerns – least privilege is always good practice. Especially as Home Assistant is becoming more complicated and involving things like LLMs and AI. It is important that the user who sets up Home Assistant is able to delegate control as they see fit while being confident that it will remain in that state unless they explicitly change it. Once RBAC is implemented, a basic “user type” selection for default set up could be created. i.e. “Admin”, “Power User”, “Normal User”, “Restricted User”, etc.

I suspect most might remember the friendly login screen showing everyone with local access, with their images so they can quickly sign in? It was shot down faster than fish in a barrel.

As I remember, part of it being shot down was people not having their own networks setup properly. Personally, I didn’t like it because I couldn’t hide the “admin” account (as I can in other, similar, login screens).

I would absolutely support, “the year of security”.

MrGrey.

I also have adult children that I’d like to give limited access to only certain dashboards and entities.

I want them to be able to see if we are home or not and have a way to get in contact with me in an emergency if I’m not around my phone (I have what I call a “buzz home” system that when they push a button on a dashboard it announces over my smart speakers that someone is trying to contact me or my wife but only if we are home). But they don’t need to access my security cameras or control the lights. Not that they would intentionally but what if their phones are compromised or they accidentally do something.

I used to do this with the (now defunct) Compact Custom Header. It wasn’t perfect but it was better than it is now since I could turn off all the obvious extra access stuff (sidebar, header). but since that’s gone it’s way harder to provide that limited functionality.

I second many of the points in here about why they would want access control.

I’m a little bit surprised that there is such a question about why, but perhaps it ties into how it will be implemented…

A broad why for me is this:

When I invite people into my home, I would like them to be able to enjoy the home as I enjoy it, however there are rooms of my home that are best left alone.

For example, although I would let them into the utility closet, some people don’t have any reason to be in there unsupervised. Mischief or curiosity might get the best of them. This could be harmful to themselves, or someone else in the home, or the home itself.

As it is, without complex external (not core) measures, giving any access to Home Assistant is akin to giving a universal key to every room, fixture, device, etc that I have integrated through Home Assistant.

In short, the reason is because it doesn’t make sense to give a universal key to every person who enters your home, yet you would like to be able to give them access to enjoy your home.

Without this functionality we must resort to highly technical approaches, or just not give friends, family, guests, tenants, etc access to the use our Home Assistant. (For what it’s worth, not giving access means there’s less exposure of new people to such an awesome platform).

Asks

• expose specific dashboards to the network without any login.
• use groups and or users to restrict access to any and all entity/devices/dashboards.
• allow a user or group to be assigned a specific dashboard that they’re login is limited to.
• allow a user or group to be restricted from certain layers of the dashboard (like browser mod, disallow certain menus, history, more info, etc) which can be used to access areas that should be behind a wall.

A personal note:
My son is 13, and I’m teaching him how to administrate some of our servers and home assistant. I would really like him to be able to have access to almost everything in home assistant, so he can explore and see what it looks like, including setting up his own automations, scripts, etc. There are areas I would rather block off, as the consequences of an errant finger tap are too high.

A final thought:
Something I’ve wrestled with is the benefit of giving access to my kids to home assistant on their phones, yet the risk of allowing this device out into the world that has a conduit back to our home. Although I absolutely am teaching my kids about security, there is an element of risk that they might choose not to follow best practices, or just loan their phone to a friend. Or perhaps somebody looked over their shoulder got their pin and took their phone. Now this person has access to my home physically, and remotely. Not good. I think enough is said right there about the value of this.

Thank you for coming to my presentation.

Please make 2025 the Year of Security.

I would object to this part only.

Some kind of log in MUST happen even if it’s QR code or some kind of simple numeric or pictograph.

Zero trust. never have - no login. If you’re not logged in your access is None.

(my wall tablets each have thier own accounts and auto login)

bad things happen with anonymous access to something that can (potentially) be elevated and we must assume it’s possible.

Everything else. Yep.

To be fair to the HA team that asked why, I don’t think it was because they couldn’t think of any good reasons. I think they were just trying to probe for the underlying reasons so that they could make more educated decisions.

I’m setting up a dashboard for my “not-so-tech-savy” parents. I’m just trying to make it as plain as possible. I don’t like the idea of my parents losing theirselves into more and more submenus.

That’s fair that not everyone would have a use for this, but it wouldn’t be a requirement to expose anything. Just an option. In my use case they’ve already authenticated to low level trust by being on our home or even guest network. I’m good with them turning on the lights and music, etc.

If the dash is configured right there should be a very low risk of elevation. As it is I had to jump through extreme hoops to prototype cobble together something similar over here, and again if it weren’t for WPA2 I wouldn’t like it. That approach isn’t scalable to more than a few basic interactions due to the legwork involved.

I’m sure you’re right. I could’ve/should’ve would’ve skipped that comment. Thank you Home Assistant team!

I share a house with two other, non-technical people. +1 on being a control freak, security minded IT professional who prefers to follow standard security practices for most of the reasons previously mentioned.

@MissyQ and @anakinsbrn:

• One of my housemates has a girlfriend I would like to give access to on her mobile device. However, neither he nor she should have location access to the other’s device history! That could cause relationship problems and could possibly become a legal issue (stalking/tracking another person) one day! She should also be limited to controlling devices in his part of the house plus the common areas like kitchen, living room, etc, door locks, and garage door. We already have the option for access only when on local LAN which is a great start for this case scenario.
• Owning a house in NYC also means we have a lot of out of town company. I give them mobile devices (old cell phones and tablets with the companion app logged into a guest account) to use while staying with us. They needed restricted access to the devices and options available in the bedrooms they are sleeping in plus the common areas only. A guest dashboard with no menus.
• In addition, I would like to add a wall tablet on the deck for light and media center control. That means it would be outside and I certainly do not want easy access to all of Home Assistant accessible to a would be burglar.

So, for many of the reasons previously mentioned plus possible legal issues and possible home security issues, I feel the current way the frontend is exposed poses production ready application roadblocks. It is, however, fantastic for the individual who sets up and maintains the system.

This is an amazing project with a fabulous community behind it and I use Home Assistant in production within our three homeowner group but am not comfortable at all sharing with others with which we give keys to the house.

I also am in the camp of zero trust, no access until specifically granted, Linux style security.

We are working on an open source/hardware physical access control system using secure NFC (desfire etc.) and a controller using ESP32 (Olimex: ESP32-POE2 + MOD-IO boards). Most likely we will integrate with HA, though it will be independent for stability. RBAC would be nice in HA. Maybe via an integration with an existing identity provider platform such as Authentik or Zitadel.

I am new to HA, was using a proprietary KNX integration to control (and give my family and guests control) to everything in my house - with layered security.
In my home, this controls everything from lights and outlets to heating, car charging, and the security alarm device, not to mention the Omada network controller.
I want to move away from the proprietary system because it is expensive, outdated, closed shop shop solution requiring old energy intensive hardware, and found HA which seemed to be the perfect replacement with integrations for basically everything.

I was puzzeled to learn that HA has only minimal means of securing access beyond admin and regular users. While I found some workable but tiresome solutions by reading this thread alone, I am wondering why the middleware was designed without a security concept in mind.

Absolutely supporting the idea of making 2025 the year of security for HA!