RBAC - Role Based Access Control (Users & Groups rights)

Recently came across this when making a dashboard for a spouse

2 Likes

I’ve set up a per-device dashboard by:

  1. Using Trusted Networks to set two of my iPads to log in automatically as a specific user.
  2. I manually installed GitHub - maykar/kiosk-mode: 🙈 Hides the Home Assistant header and/or sidebar (since it’s archived) and it’s still working fine. However, since then it appears someone has forked and is possibly maintaining it at GitHub - NemesisRE/kiosk-mode: 🙈 Hides the Home Assistant header and/or sidebar.
  3. Opened Home Assistant on each device, and set the default dashboard.

The only problem is that if Safari clears the login cookies and session data, I think that will reset the default dashboard.

This is fragile enough that I wouldn’t rely on it if the dashboards were needed to control the house. In my case, it’s just for some fun multicolour lights, and they can still be controlled normally with switches if for some reason the dashboard isn’t working.

Being able to simply set users to be associated with dashboards would be great. However, there’s tricky cases, such as if a dashboard or an entity card links to a device page, the history graphs, or the log book. I think to be fully usable we’d also need permissions for non-dashboard routes.

I would also just to echo the point made by appleguru.

By all means placard it with disclaimers that it is not guaranteed to be secure - this feature would still be a very large bonus. I believe that 95% plus of the uses of this feature will be for people we already trust enough to let stay in our home or would give the keys to the home to.

For such people this is still a very useful feature; it still:

  1. helps keep honest people honest and/or removes temptation to pull pranks or what have (turning lights on and off on me in my bedroom or something) or to snoop through the history section (because the button was right there).
  2. ensures trusted but potentially snoopy older family members (who I know aren’t tech savy) don’t snoop. I could give my mom the ability to open the garage door to water plants while on vacation. I know she won’t come do that otherwise without good reason especially when she knows I would see it in the log. But I don’t need her being able to ask my why i was in neighborhood X last week because she was looking at my map or why my computer was on and using energy till 2am and that I should be going to bed on time as a 34 year old adult.
6 Likes

Agree strongly on this, commenting here because I expected to find this WTH topic by searching for “authorization”. RBAC is not the only viable authorization scheme, there is a scale from the really simple and inadequate (which is what HA has now, in my opinion) via RBAC to full-fledged ABAC or other policy based authorisation. So what I’d really like is a discussion of what HAs authorization scheme should ideally look like, and the path towards an implementation.

2 Likes

Any kind of RBAC should also support more authentication methods. Let me set up Sign in with Google, or LDAP, or whatever.

4 Likes

Authorization and authentication are not the same thing.

This WTH is about authorization. As in given that HA knows who the user is, WTH aren’t there more options for an admin to restrict what that user can see and do?

Authentication is how HA figures out who the user is, a prerequisite to determining what they can see to do. If you think there needs to be more options for that, please open a different WTH. Or just vote for this one since I’m pretty sure that’s what you’re looking for.

9 Likes

This is my number one wish for HA. I’d love to have a dash for guests, for children, for spouse and then myself of course!
I do believe this should be native though…I’ve tried the kiosk mode and it can easily be defeated so it won’t do in my situation.

1 Like

Role based access control is my most sought after feature. Our dog sitter lives in our other house and I would really love to give her access to a limited subset of Home Assistant.

Even being not technically inclined at all, she was able to find her way around and started trolling us by switching on and off our lights in the living room.

I agree with the suggestion from @appleguru that a restricted mode should default to no access, with granular access added as needed.

2 Likes

It seems like they had started to work on this a while ago:

A few months back I tried implementing this (on a test instance). However, after making the changes and trying to start up HA, it would fail to start and I wasn’t able to see any logs indicating what the problem was.

Would be interested to hear from some devs on what the state of this might be and what could’ve gone wrong.

2 Likes

Two use-cases for the same user:

  1. My son should not be able to do goofy things like flash the living room lights or change the music. He should have control access to his room only, even from his ipad.

  2. When he’s at his mom’s house he shouldn’t even be able to access. I REALLY don’t want my Ex or his friends at his mom’s house to see my front yard cameras, for instance.

3 Likes

This one is in the right place, that’s RBAC.

This one isn’t. You’re going to need a different WTH for this one, that’s not RBAC anymore.

Rbac is basically where an admin can create roles/groups and put users in them. Then they can decide what each role/group can or cannot access. What a user can or cannot do is then determined by their roles.

But roles are static. A user either is or isn’t an admin. Or a developer. Or a manager. Or whatever roles you want to make up.

What you’re asking for is not static. You’re asking for a users access to change based on their physical location. The same user can see and do different stuff depending on the current value of some attribute of that user. You’ve now moved past RBAC and into ABAC territory.

1 Like

True, this isn’t an RBAC thing, but combined with the local only user system that was added some time ago it would do what is wanted.

At a minimum,
Restrict the overview page in the backend rather than the frontend and force a default view to specific user

In the backend only. No more frontend user admin pls.

I really need this.

My use case is, that I’m the admin, and I might allow someone who’s not an admin to connect a new light bulb or create automations, but I might not want this person to install new integrations or mess around with the .yaml config files.

You might call it a ‘superuser’-level.

So what I need is; admin, superuser and user roles. Should be possible to achieve with RBAC.

1 Like

I would love this! As thing are now the user has way too much access and we only have two tiers.

+1

I have 2 main use cases.
id like to create a user for regular guests that only control things in certain areas of the house – roles per zones/areas if you will!

Id also like to help out some family members who have a few sensors or a smart garage door opener thats cloud based, and set it up in HA to make it more user friendly. Sure I could setup HA at their location but then i have to manage and maintain it.

I also feel this should be a priority.

Guest mode addon does not fit all.

PRETTY PLEASE :slight_smile:

You can restrict accounts to access you HA instance from home only.

1 Like

This is so important.

The visibility settings for lovelace were a good start. I am able to restrict my kids from being able to see and control some things. But, they still see the link to node-red and esphome in the sidebar. That could lead to disaster if they ever decide to mess around in there.

Refining the access controls is a huge step towards big WAF points! Just imagine what we could be doing instead of training our users on what they aren’t allowed to touch!

1 Like

I concur.

While on this subject I have this use case which extends RBAC by including an ability to trust a remote ID.
Take the following situation, I know 3 people using HA to run their homes, they all have the HA client installed on their phones and while not wanting to give full access to each other would like to allow a trusted person with HA on their phone to have some access to their devices at some times of day.
Using some form of open ID trust would allow a user to see the bits they have rights to once that OpenID was trusted and assigned a role.

That is my 2 pennies worth.
Thanks,
Chris.