WTH2 - WTH!? No RBAC - Role Based Access Control? (Users & Groups rights)

Agree strongly on this, commenting here because I expected to find this WTH topic by searching for “authorization”. RBAC is not the only viable authorization scheme, there is a scale from the really simple and inadequate (which is what HA has now, in my opinion) via RBAC to full-fledged ABAC or other policy based authorisation. So what I’d really like is a discussion of what HAs authorization scheme should ideally look like, and the path towards an implementation.

Any kind of RBAC should also support more authentication methods. Let me set up Sign in with Google, or LDAP, or whatever.

Authorization and authentication are not the same thing.

This WTH is about authorization. As in given that HA knows who the user is, WTH aren’t there more options for an admin to restrict what that user can see and do?

Authentication is how HA figures out who the user is, a prerequisite to determining what they can see to do. If you think there needs to be more options for that, please open a different WTH. Or just vote for this one since I’m pretty sure that’s what you’re looking for.

This is my number one wish for HA. I’d love to have a dash for guests, for children, for spouse and then myself of course!
I do believe this should be native though…I’ve tried the kiosk mode and it can easily be defeated so it won’t do in my situation.

Role based access control is my most sought after feature. Our dog sitter lives in our other house and I would really love to give her access to a limited subset of Home Assistant.

Even being not technically inclined at all, she was able to find her way around and started trolling us by switching on and off our lights in the living room.

I agree with the suggestion from @appleguru that a restricted mode should default to no access, with granular access added as needed.

It seems like they had started to work on this a while ago:

A few months back I tried implementing this (on a test instance). However, after making the changes and trying to start up HA, it would fail to start and I wasn’t able to see any logs indicating what the problem was.

Would be interested to hear from some devs on what the state of this might be and what could’ve gone wrong.

Two use-cases for the same user:

1. My son should not be able to do goofy things like flash the living room lights or change the music. He should have control access to his room only, even from his ipad.

2. When he’s at his mom’s house he shouldn’t even be able to access. I REALLY don’t want my Ex or his friends at his mom’s house to see my front yard cameras, for instance.

This one is in the right place, that’s RBAC.

This one isn’t. You’re going to need a different WTH for this one, that’s not RBAC anymore.

Rbac is basically where an admin can create roles/groups and put users in them. Then they can decide what each role/group can or cannot access. What a user can or cannot do is then determined by their roles.

But roles are static. A user either is or isn’t an admin. Or a developer. Or a manager. Or whatever roles you want to make up.

What you’re asking for is not static. You’re asking for a users access to change based on their physical location. The same user can see and do different stuff depending on the current value of some attribute of that user. You’ve now moved past RBAC and into ABAC territory.

True, this isn’t an RBAC thing, but combined with the local only user system that was added some time ago it would do what is wanted.

At a minimum,
Restrict the overview page in the backend rather than the frontend and force a default view to specific user

In the backend only. No more frontend user admin pls.

I really need this.

My use case is, that I’m the admin, and I might allow someone who’s not an admin to connect a new light bulb or create automations, but I might not want this person to install new integrations or mess around with the .yaml config files.

You might call it a ‘superuser’-level.

So what I need is; admin, superuser and user roles. Should be possible to achieve with RBAC.

I would love this! As thing are now the user has way too much access and we only have two tiers.

+1

I have 2 main use cases.
id like to create a user for regular guests that only control things in certain areas of the house – roles per zones/areas if you will!

Id also like to help out some family members who have a few sensors or a smart garage door opener thats cloud based, and set it up in HA to make it more user friendly. Sure I could setup HA at their location but then i have to manage and maintain it.

I also feel this should be a priority.

Guest mode addon does not fit all.

PRETTY PLEASE

You can restrict accounts to access you HA instance from home only.

This is so important.

The visibility settings for lovelace were a good start. I am able to restrict my kids from being able to see and control some things. But, they still see the link to node-red and esphome in the sidebar. That could lead to disaster if they ever decide to mess around in there.

Refining the access controls is a huge step towards big WAF points! Just imagine what we could be doing instead of training our users on what they aren’t allowed to touch!

I concur.

While on this subject I have this use case which extends RBAC by including an ability to trust a remote ID.
Take the following situation, I know 3 people using HA to run their homes, they all have the HA client installed on their phones and while not wanting to give full access to each other would like to allow a trusted person with HA on their phone to have some access to their devices at some times of day.
Using some form of open ID trust would allow a user to see the bits they have rights to once that OpenID was trusted and assigned a role.

That is my 2 pennies worth.
Thanks,
Chris.

Also a “device” type account/role combination would be brilliant. I have a touch screen that logs in via browser as a console “user” and shows household data and settings.
The ability to require that account to see only the console user dashboard and the devices that it has rights to would be perfect.

Would love to be able to have different profiles like these examples. Have HA installed on kids tablets and took some work to restrict to one dashboard but my kids can still go into the settings and add other dashboards or other things.

I‘d love to have that as well. We are currently doing a small “smart-company” project which’d need exactly such kind of feature. Normal users should not be able to see all things going on in the logbook.
Hope something like this is coming in the near future.