WTH2 - WTH!? No RBAC - Role Based Access Control? (Users & Groups rights)

Yes you need to configure a user. Else you cannot grant access. No you don’t want a system that doesn’t require user accounts. It’s an incredibly bad thing from a security perspective (and yes tbh out of scope for this thread. - if you want to continue the discussion probably open a new thread after searching)

That said most people don’t ask thier transient users to install anything and use a kiosk in concert with a preconfigured user account. Heck most tenants don’t want complex.

Yes that means you do not get zone data (no GPS-no app) so you cannot do location aware unlocks etc. but tbh if I were your tenant I’m not giving you that anyhow. And I’m certainly not reconfiguring my install of HA companion to talk to your install…

Just set your locks using a lock code solution in combination with whatever you’re using for booking make the lighting as automatic as possible, give a small kiosk or a tablet for fancy movie controls and they’ll be pleased as peaches.

Mind that this is a Home Assistant, not a Business Assistant

I’d also not recommend exposing HA directly to any people you can’t trust → like airbnb guests. It will not be safe in any way.

I guess the way to go is to find some kind of KIOSK software that could REST API to HA and recreate the whole UI upon it. It should limit the user to not being able to see/change the REST details though. Like a public information kiosk or sth, idk. It’s a long shot anyway.

If I were to supply airbnb guests with a UI to control things via a tablet. I would roll my own dashboard that outputs to a single endpoint.

Something like HA fusion would probably get the job done. I’d have to verify it doesn’t have the ability to edit things via it’s frontend, I haven’t used it yet. But based on how it’s built, I would assume that you wouldn’t have that type of control. https://github.com/matt8707/ha-fusion

EDIT. nevermind. It looks like the editing is handled in the container as well.

Which means that leaves us with appdaemon dashboard as the easiest route to get the job done.

If anyone is using Node-RED (which I know petro is not ;)), you can create dashboards in there. They aren’t the prettiest, but get the job done. I used them in the past before kiosk-mode had all the features it does today.

Nooooooooooo way. Hard pass.

I too have a few Airbnb properties, it’s why I wrote Rental Control for the lock integration to calendars.

My properties have a few smarts in them, but in all cases (that matter) the guests have standard physical controls. The only exception is for garage door access. For those guests that need it (medium - long term) guests I provide access to the garage door remoting via the Limited Guest addon. It doesn’t exactly give the prettiest interface, but for a simple toggle button for opening / closing a garage door with time limits it works well along with a custom URL.

Basically, I provide a situation where the guest really shouldn’t have to think about the fact that the house has some smarts, it just does the things it needs to and then gets out of their way.

No airb-bnb business thing here. Just a normal home with two smart kids who will mess with the configuration as soon as they figure out they can control more than just the lights.

This discussion has been going for a few years, how is it going with the groups and rule based access? I would really like to give the kids an account so:

a) they can control their own lights without changing other stuff
b) have the HASS app on their phone so I know when they are safely at home (and they know I am at work or at the shop, maybe)

How can I help to get this Groups or “Rule Based Access Control” working?

I have a housemate and it would be great to allow minimal access to only the stuff I think he needs. Nothing to do with a business but simply making sure someone doesn’t break my setup or play with things I don’t want messed with. ie: my irrigation which is fully controlled by HA.

Yes, but in his case, I think he’s actually complaining about the need to configure each device and that the configuration doesn’t stay with the user account across devices.

This is a problem unique to HASS and has to do with construction of the application and not anything related to security.

A lot of homes have kids that also can’t necessarily be trusted. Mischief is a natural part of childhood and if I can’t protect my HASS installation from them, I simply can’t give them access to it at all, which kind of defeats the point.

Turns out that meeting the needs of people with kids in terms of RBAC would also meet the needs of AirBNB users for the most part, so really, it’s time to consider doing RBAC in HASS regardless. Lots of people have expressed lots of reasons this is needed, most are valid even if you exclude business/AirBNB purposes.

Further, it’s kind of ridiculous that a system this complex ever got built without any attention to this need.

So I’m going to summarize the comments to date…

LOTS of people want RBAC in HA for a variety of reasons.
LOTS of people want dashboards and/or views that can be configured to follow the user account and not have to be configured per device. Currently this can be done with views to some extent, but is completely lacking in dashboards.

RBAC is hard to do right and there’s little agreement about what would be “right” and it will be difficult to achieve such agreement without even having one or more straw-man proposals to choose from.

Minimum requirements expressed by most of the users in this thread so far seem to include:

• Some ability to restrict which URLs or control-points a given user can access
• Some ability to define groups of users and set control-point limits on the group
• Opt-in permissions are probable better than Opt-out (e.g. a user/group gets a list of things they are allowed to do (and can’t do anything not on the list) rather than a list of things they are not allowed to do (and can do anything not on the list)).

I’m not (yet) well versed in the HA architecture and construction, but it appears from what I have learned so far that this would require each HTTP end-point to implement the RBAC separately. Since there is a large number of authors, especially for plugins, adding, and the like, getting universal implementation in these external projects is likely hard and will likely take a long time.

Presumably before any user can (usefully) access any HTTP end-point, they have to be authenticated. As such, it should be relatively simple to implement an API for RBAC authorization that could be imported and called by any end-point implementation. Endpoint usage could be as simple as something like:

from RBAC import RBAC_auth
allowed = RBAC.auth(<username>,<module_id>,<object_id>,<operation_id>)

<username> would be the currently authenticated user.
<module_id> would be a unique identifier for the end point (plugin, add-on, core-module, etc.)
<object_id> would be a unique identifier of the object the operation is to be performed on
<operation_id> would be a unique identifier for the operation being attempted by the user (e.g. turning on a light, etc.)

the return value (allowed) would be a boolean True for operation is permitted and False for operation is not permitted.

Obviously, the API for managing user permissions, groups, group permissions, etc. would be more complex, but that has the advantage of existing entirely within core HASS so as long as we can define the above single API call well enough that it covers all cases (and/or is sufficiently extensible without breaking prior implementations), I think this would be what is necessary to allow external developers to start implementing RBAC capabilities in their projects.

An initial stub that just returns True for everything could be deployed to provide equivalent/compatible current behavior until the full API reaches a release-worthy state.

So far, this thread has been mostly complaining about what isn’t available without having any concrete suggestions for a way forward. I’m hoping that my above suggestions if not wholly implementable can at least start a discussion moving in that direction so that we can talk about how to do this and getting it done. I think we have clearly identified the use cases for it and the need for it.

In addition to your suggestion, I’ll re-up my previous suggestion to re-use the RBAC that is already implemented for voice assistants for users.

Please implement this on an entity level. It is more relevant for privacy than security.

Authorization is hard to do right. There are use cases for privacy scenarios, and for security.

In my previouus life, when I’ve gone into an existing code base as part of a team and re-architected systems for more fine grained control, you have to start at the top, which might seem too coarse. The most straightforward design pattern in REST is thinking about the URL namespace and mapping parts of the URL path to specific permissions (sometimes called scopes). Then you can start chopping into more and more fine grained pieces over time.

So, for example, you could assign a permission to any dashboard or add-on (things after the instance root in the URL like /lovelace/default_view or /energy. Scopes as simple as lovelace:read or energy:read.

We did open source an authorization server, see the-usher-server/docs/GLOSSARY.md at 2f33a30e97d0361bd180a4acae2fd35b5a11db07 · DMGT-TECH/the-usher-server · GitHub - it has a good discussion on the complexity and an approach that is possible. This approach assumes authorization results in auth tokens, and these tokens can be quickly turned into permissions so the main dispatch loop can use it.

Really fine grained permissions are a lot more complex. But I don’t think that is what 90% of the use cases require.

My 2 cents.

Speaking as a user - not a developer; I think a majority of people would be satisfied at first, with simply being able to hide pages like energy and map dashboard from certain users. I trust the people I want to give access, I just not want them to have (for example) the map right there, because then curiosity will take over. A solution as simple as that would be greatly appreciated, probably by many people, while a more comprehensive API/URL RBAC is being discussed and developed.

What do you think?

I think you’re right. Although you can do it case by case in the app or in the users settings I think it should be doable from and admin point of view.

The thing is, it used to be there, although it was “custom” at that time…

Yes, even if, for example the option to hide sidebar elements is not a per browser setting but a setting for the user from whereever they go into their dashboard, this would be very helpful. Then maybe have the option to also not allow this user to make changes to their settings and it would be good enough for family members…

+1

Despite my ignorance, I think it would be possible to just add Map, Logbook, History and so on to the Settings/Dashboard section to edit what is Admin only and what is not.
If we wanna push it further, you could also implement the possibility to enable/disable the possibility to visualize each board for any user.
You could start from something simple, like hiding it from the sidebar. I know this won’t prevent to see them from the browser but at least we can control a bit what users can see from the app and even quickly change the permissions (ie I wanna enable the Map view for a user for a couple of hours and then disable it again).
I think that this would be already hugely appreciated from the community…

That’s available in 2024.4 for Map, which will be released tomorrow.

Also, I believe the groundwork was added to potentially expand that functionality to other “default” dashboards like history and logbook.

image459×611 11 KB

Great. Thanks for the heads up!