I’m only a month into using HA, but I just discovered that this doesn’t currently exist, and it blows my mind. Here’s our use case:
My mother-in-law lives with us in an in-law suite. I’d like to give her access to her HVAC controls, her garage door, and a few other key things, but she absolutely doesn’t need to have access to the rest of my and my girlfriend’s information. All I wanted was to create a limited dashboard for her, but I’m already realizing it’s going to be incredibly difficult (impossible?) to meaningfully limit her in a way that isn’t easily undone.
It also means there’s no way in hell I’m doing what I had planned, and putting a tablet in the guest room, because my nerdy friends would have a field day with that one every time they visited.
I feel like RBAC is kind of like the foundation of a system that is meant to control a home, and therefore be interacted with by a variety of users who absolutely should not all be expected to qualify for the same level of access.
Just tried to setup a custom dashboard for my wife today.
It’s totally crazy that HA doesn’t have this. Maybe the simpler way would be to integrate an external open source RBAC system.
As a first approach, maybe with “little” functionality you can achieve lot of cases:
Device Access (maybe entity): so you can set who has access to what at a level device. Just make the system ignore the devices (and it’s entities) the user has no access to. You can do a lot with this.
Panel access: if you can’t access a panel, it’s not even shown in the sidebard. It would need some special options for hiding the default items like Map, Registry, History and media.
You can go much deeper (services, read/write permissions, location based permissions, etc.), but I would consider these two things can make a good first version.
Full disclosure: I work for Okta, which owns Auth0, but I’m not getting any special perks, just using a normal dev account.
As a fairly senior dev who works on IdPs for a living, I wouldn’t trust some dude’s side project to manage authn for me, even if I’m that dude. Again, it doesn’t have to be auth0, with a little bit more work it could be any OIDC SSO provider, including self-hosted ones (e.g. Keycloak).
Not sure what some of you are suggesting with external systems, but really hope it doesn’t end up being something that requires the cloud and I don’t want to have to host anything else for it either.
Personally all the functionality I need is the same as what the media player Jellyfin offers. A username and password and each user has their own things they can access and their own database of how they have interacted with said things.
My answer was specific to the case were you want a user to be able to access HA only from home.
I wasn’t answering the main thread.
The issue with HA today is that is was made by developers for developers, they did a lot to make HA more user friendly but there’s a lot of work to be able to give access to it for non techy end user.
Thus yeah, we need BRAC, if there’s security features and a API key pair instead of email/password for cloud it will let integrator use HA at their clients home, hotels or office
I also need this. Use case - external zigbee coordinator at a cabin (through vpn). Need to give cabin “admin” access to some stuff there, and cabin guests access to some (but less) stuff there.
They can absolutely not have full access to the whole HA instance.
For now I need to run a separate HA instance just for this.
I don’t know if this is helpful, but I wanted to +1 this. Without RBAC things can get… well, very awkward. What can we do to move this along? I’d be happy to help with the dev effort, even.
Then look to see what the state of this is now. Once you have a good idea of how things work, then I think it would be a good idea to open a discussion in the architecture repo with ideas you have about implementing this and see what the response is.
So there’s been what I’d consider a fairly significant addition to the kiosk-mode custom component via this PR:
It allows you quite a bit of control to hide different aspects of the more-info dialogs. While not full-on RBAC, this gives the kind of control I’m looking for to lock down what the user can access via the UI, so I thought I’d share it here in case someone else finds it useful.
In my case, if I want to control what a non-admin user can do with HA, I add what I want to their dashboard and use these settings:
This prevents them from going anywhere other than that one dashboard (via UI controls). Check out the newly added settings in the PR and see if it works for you.