Currently a quite effective access protection is possible by restricting access to certain lovelace dashboards.
When it comes to views, the current situation unfortunately is:
- once a user knows the navigation path (the URL like e. g.
/lovelace/server-mgmt), (s)he can access that view if it is part of a dashboard (s)he is allowed to access. - so it’s a common misconception of people thinking, that ticking the boxes in the individual view settings is really blocking users of accessing this view.
In other words: this is not far away from something like “security by obscurity”
Trying to initially hide that navigation path in the UI is possible e. g. using GitHub - iantrich/restriction-card: 🔒 Apply restrictions to Lovelace cards, but is a) quite some work and b) not very efficient cause it’s just a workaround for a root cause.
I would be happy if users with a disabled view access configuration are presented with a “Uh uh uuuh, nothing for you to see here is, go back you can!” yoda style page. Just kidding, fine with any other non-yoda-based improvement here too 