I don’t consider this to be even close to the same as RBAC. I have to hide add-ons from the side menu, which make it pain for those admins to access through the add-on screen. It’s a pretty large missing feature.
“Lock down” is not the correct choice of words here. Obscure at best. This literally just hides it the option from the navigation, if that user enters the URL for the dashboard directly it still opens no matter what you have set there.
Besides even if this did actually lock down who could see that tab it’s still only a UI control which means it can never be more then security by obscurity. For something to be RBAC it needs to be worked into the API.
That being said, there is some amount of actual RBAC controls for the brave that want to try it. See balloob’s post above for how to use it. I have not tried this feature myself so I am not recommending it, just reminding people that it exists. And for any developers interested in this that are willing to work on it, that’s a good place to start from.
I’ve recently tried playing around with it on a test instance. HA seems to start back up somewhat normally, but the UI is completely inaccessible. I can SSH in and see HA core logs going, but if I try to access the frontend it just says the connection was refused. As soon as I remove the additions to the auth
file it’s fine again.
Has anyone else played around with this? I’m wondering if @balloob could weigh in on this since there hasn’t been any talk of it since that blog post. I wouldn’t be too surprised if it was in rough shape if it’s just been hanging out there for 3 years while HA has been changing around it.
What are you referring to? There is no RBAC at the moment. There’s user based dashboards that can be displayed, that’s about it.
They’re referring to this:
Which yea I would guess has been hanging out largely unchanged since it was released in 11/2018. Although I will note that the “administrator” option on users has made some strides. There are definitely a good number of things non-admins cannot do and those restrictions are implemented at the API layer so they are actually secure unlike hiding UI options.
But in general the advice hasn’t changed: HA isn’t designed for multi-tenant use cases, only grant access to people you trust to follow your rules.