RBAC - Role Based Access Control (Users & Groups rights)

I want to have my home assistant being used by all people living in the home. Having only an admin and a user is somewhat misleading…

I am the admin, my children and wife the users…

I would expect proper Role Based Access Control.

See below, more reason to prioritize this? :slight_smile:

:warning: No Longer an Active Project

I have come to the difficult decision to stop work on Custom Header and have archived the project. Please, see the farewell post for more info.

MOD EDIT - @petro - This was moved from the Month of "What the heck?!" into the Feature Requests category to retain votes.

I concur with this - I want to be able to restrict access to all kinds of dashboards and links in the sidebar. I don’t want to have to customize the sidebar for each of my users’ devices individually.

19 Likes

+1

Really need the ability to give specific users access to specific pages and/or entities only.

“Restricted” users should be an allowlist concept: they start with access to nothing at all and only get access to the pages or entities we grant them. Granting them access to a page (or a tab…) should automatically add all devices and entities on that page or tab to their allowlist.

Initial implementations do not need to be perfect/bullet proof. Most of us are using this to provide access to family members, not random untrusted members of the public, so, eg, if some API calls don’t restrict to the allowlist to start with, that’s ok, as long as the UI does.

12 Likes

Few additional thoughts on this:

my submission was set as a duplicate of this, so I just wanted to add my thoughts here on why this is really badly needed:

I’ve run across so many situations where I need some way to limit what pages/menus show up depending on the user or use case, and every time I ask about it, I usually get some really complicated instructions about building my own web frontend. HA already has a user system - all it needs is a way to limit views/dashboards based on those users!

Here are a few use-cases (which I must say, seem very legitimate to me), that I simply cannot find any relatively easy way to implement:

  1. I would like my kids to be able to control and monitor a subset of things in my home. For example media controls for certain areas in the house, sensors, etc. I do not want them to have the ability to go into the menu and see logs and other advanced functionality or switch away from the dashboard I have made for them. I can’t figure out how to easily do this.
  2. The guests that stay in my home will sign into the guest wifi and are then redirected to a page after logging in that gives them helpful information. I would like to send them a custom dashboard so they can set A/C controls for their room, see certain conditions and cameras around the house, read helpful notes about the coffee pot or the alarm system, show them the upcoming weather for our area, etc. But I do not want them to have access to all of my dashboards and see all of the sensors in the home, or have access to a menu to go into other pages. I can’t figure out how to easily do this.
  3. It is becoming increasing popular to utilize wall panels as built-in controls (such as mounted tables or the hacks for the NSPanel that have come out recently). But when you install the app or use a browser, you will need to log in and I would like for these wall panels to not have access to the side menu with logs and whatnot. I’d also like to have a specific set of dashboards that people can use from the wall mounted panel. I can’t figure out how to easily do this.

Please add the ability for users (or maybe groups of users?) to be restricted to certain dashboards (along with a checkbox that says whether they should have access to the menu on the left). This would enable some really great solutions for guests, kids, aging parents, wall panels, etc.

12 Likes

Recently came across this when making a dashboard for a spouse

2 Likes

I’ve set up a per-device dashboard by:

  1. Using Trusted Networks to set two of my iPads to log in automatically as a specific user.
  2. I manually installed GitHub - maykar/kiosk-mode: 🙈 Hides the Home Assistant header and/or sidebar (since it’s archived) and it’s still working fine. However, since then it appears someone has forked and is possibly maintaining it at GitHub - NemesisRE/kiosk-mode: 🙈 Hides the Home Assistant header and/or sidebar.
  3. Opened Home Assistant on each device, and set the default dashboard.

The only problem is that if Safari clears the login cookies and session data, I think that will reset the default dashboard.

This is fragile enough that I wouldn’t rely on it if the dashboards were needed to control the house. In my case, it’s just for some fun multicolour lights, and they can still be controlled normally with switches if for some reason the dashboard isn’t working.

Being able to simply set users to be associated with dashboards would be great. However, there’s tricky cases, such as if a dashboard or an entity card links to a device page, the history graphs, or the log book. I think to be fully usable we’d also need permissions for non-dashboard routes.

I would also just to echo the point made by appleguru.

By all means placard it with disclaimers that it is not guaranteed to be secure - this feature would still be a very large bonus. I believe that 95% plus of the uses of this feature will be for people we already trust enough to let stay in our home or would give the keys to the home to.

For such people this is still a very useful feature; it still:

  1. helps keep honest people honest and/or removes temptation to pull pranks or what have (turning lights on and off on me in my bedroom or something) or to snoop through the history section (because the button was right there).
  2. ensures trusted but potentially snoopy older family members (who I know aren’t tech savy) don’t snoop. I could give my mom the ability to open the garage door to water plants while on vacation. I know she won’t come do that otherwise without good reason especially when she knows I would see it in the log. But I don’t need her being able to ask my why i was in neighborhood X last week because she was looking at my map or why my computer was on and using energy till 2am and that I should be going to bed on time as a 34 year old adult.
6 Likes

Agree strongly on this, commenting here because I expected to find this WTH topic by searching for “authorization”. RBAC is not the only viable authorization scheme, there is a scale from the really simple and inadequate (which is what HA has now, in my opinion) via RBAC to full-fledged ABAC or other policy based authorisation. So what I’d really like is a discussion of what HAs authorization scheme should ideally look like, and the path towards an implementation.

2 Likes

Any kind of RBAC should also support more authentication methods. Let me set up Sign in with Google, or LDAP, or whatever.

4 Likes

Authorization and authentication are not the same thing.

This WTH is about authorization. As in given that HA knows who the user is, WTH aren’t there more options for an admin to restrict what that user can see and do?

Authentication is how HA figures out who the user is, a prerequisite to determining what they can see to do. If you think there needs to be more options for that, please open a different WTH. Or just vote for this one since I’m pretty sure that’s what you’re looking for.

8 Likes

This is my number one wish for HA. I’d love to have a dash for guests, for children, for spouse and then myself of course!
I do believe this should be native though…I’ve tried the kiosk mode and it can easily be defeated so it won’t do in my situation.

1 Like

Role based access control is my most sought after feature. Our dog sitter lives in our other house and I would really love to give her access to a limited subset of Home Assistant.

Even being not technically inclined at all, she was able to find her way around and started trolling us by switching on and off our lights in the living room.

I agree with the suggestion from @appleguru that a restricted mode should default to no access, with granular access added as needed.

2 Likes

It seems like they had started to work on this a while ago:

A few months back I tried implementing this (on a test instance). However, after making the changes and trying to start up HA, it would fail to start and I wasn’t able to see any logs indicating what the problem was.

Would be interested to hear from some devs on what the state of this might be and what could’ve gone wrong.

2 Likes

Two use-cases for the same user:

  1. My son should not be able to do goofy things like flash the living room lights or change the music. He should have control access to his room only, even from his ipad.

  2. When he’s at his mom’s house he shouldn’t even be able to access. I REALLY don’t want my Ex or his friends at his mom’s house to see my front yard cameras, for instance.

3 Likes

This one is in the right place, that’s RBAC.

This one isn’t. You’re going to need a different WTH for this one, that’s not RBAC anymore.

Rbac is basically where an admin can create roles/groups and put users in them. Then they can decide what each role/group can or cannot access. What a user can or cannot do is then determined by their roles.

But roles are static. A user either is or isn’t an admin. Or a developer. Or a manager. Or whatever roles you want to make up.

What you’re asking for is not static. You’re asking for a users access to change based on their physical location. The same user can see and do different stuff depending on the current value of some attribute of that user. You’ve now moved past RBAC and into ABAC territory.

1 Like

True, this isn’t an RBAC thing, but combined with the local only user system that was added some time ago it would do what is wanted.

At a minimum,
Restrict the overview page in the backend rather than the frontend and force a default view to specific user

In the backend only. No more frontend user admin pls.

I really need this.

My use case is, that I’m the admin, and I might allow someone who’s not an admin to connect a new light bulb or create automations, but I might not want this person to install new integrations or mess around with the .yaml config files.

You might call it a ‘superuser’-level.

So what I need is; admin, superuser and user roles. Should be possible to achieve with RBAC.

1 Like

I would love this! As thing are now the user has way too much access and we only have two tiers.