But what about the menu items?
Completely agree that we need more Roles and maybe roles for views. Because as you are saying users is a bit generic.
You can set up a user to have their default dashboard something else but they can always select any dashboard that is available to users
Please note, in that post I’m not requesting access control, but merely the ability to show/hide (which is not the same).
Let’s keep custom things out of this and focus on the core
You could use Custom header to restrict
views
per user.
But setting this up for multiple dashboards
with multiple views
is not an easy task…
But that’s “custom”, and indeed a lot of “hassle”. Would like to see it “supported” in homeassistant
What happened to this? Nothing?
Or is it…?
What happen(s/ed) to this very populair WTH?
from the faq of the month of WTH
"Is everything reported going to be fixed/addressed?"
There is no guarantee that will happen. The goal is to lower the barrier to
reporting things for one month. Home Assistant still relies on contributors
to address or improve the project. However, we do think collecting feedback
this way can tremendously help with the upcoming
Me me me! Would love to see some role based permissions at least for the dashboard(s).
I was just looking to setup access for my kid to control her room, when I learned there’s no access control. I’m astonished by this security hole missing basic feature.
Design decision/focus of effort != security hole.
I bet PRs would be accepted to enhance the RBAC though - it’s something a bunch of us would like and benefit from, but either don’t have the skills or time to make the enhancements and thus are grateful for the features and fixes others are adding!
Remember, you can always lock down the dashboard pages for a single user:
This doesn’t turn off the GPS MAP, the log entries nor the history graphs. None of which a standard user should have access to.
I don’t consider this to be even close to the same as RBAC. I have to hide add-ons from the side menu, which make it pain for those admins to access through the add-on screen. It’s a pretty large missing feature.
“Lock down” is not the correct choice of words here. Obscure at best. This literally just hides it the option from the navigation, if that user enters the URL for the dashboard directly it still opens no matter what you have set there.
Besides even if this did actually lock down who could see that tab it’s still only a UI control which means it can never be more then security by obscurity. For something to be RBAC it needs to be worked into the API.
That being said, there is some amount of actual RBAC controls for the brave that want to try it. See balloob’s post above for how to use it. I have not tried this feature myself so I am not recommending it, just reminding people that it exists. And for any developers interested in this that are willing to work on it, that’s a good place to start from.
I’ve recently tried playing around with it on a test instance. HA seems to start back up somewhat normally, but the UI is completely inaccessible. I can SSH in and see HA core logs going, but if I try to access the frontend it just says the connection was refused. As soon as I remove the additions to the auth
file it’s fine again.
Has anyone else played around with this? I’m wondering if @balloob could weigh in on this since there hasn’t been any talk of it since that blog post. I wouldn’t be too surprised if it was in rough shape if it’s just been hanging out there for 3 years while HA has been changing around it.
What are you referring to? There is no RBAC at the moment. There’s user based dashboards that can be displayed, that’s about it.