WTH2 - WTH!? No RBAC - Role Based Access Control? (Users & Groups rights)

Just tried to setup a custom dashboard for my wife today.

It’s totally crazy that HA doesn’t have this. Maybe the simpler way would be to integrate an external open source RBAC system.

As a first approach, maybe with “little” functionality you can achieve lot of cases:

1. Device Access (maybe entity): so you can set who has access to what at a level device. Just make the system ignore the devices (and it’s entities) the user has no access to. You can do a lot with this.

2. Panel access: if you can’t access a panel, it’s not even shown in the sidebard. It would need some special options for hiding the default items like Map, Registry, History and media.

You can go much deeper (services, read/write permissions, location based permissions, etc.), but I would consider these two things can make a good first version.

Cheers!

This looks really interesting. Maybe it wasn’t included whe you tested it, haven’t tried myself but my give it a chance

How would one achieve that?

I was just talking about how I think it could be planned in a first version. Later on yesterday, I had a look at this:

and the apprach seems to be the same. I also did a search in the code of home assistant core, and those policies are there:

but I haven’t tested any of that config yet.

Need to find some time to try that out.

4 posts were split to a new topic: Home Assistant with auth0

Full disclosure: I work for Okta, which owns Auth0, but I’m not getting any special perks, just using a normal dev account.

As a fairly senior dev who works on IdPs for a living, I wouldn’t trust some dude’s side project to manage authn for me, even if I’m that dude. Again, it doesn’t have to be auth0, with a little bit more work it could be any OIDC SSO provider, including self-hosted ones (e.g. Keycloak).

Please get a new room together instead of this topic.

Not sure what some of you are suggesting with external systems, but really hope it doesn’t end up being something that requires the cloud and I don’t want to have to host anything else for it either.

Personally all the functionality I need is the same as what the media player Jellyfin offers. A username and password and each user has their own things they can access and their own database of how they have interacted with said things.

Late answer but this feature is already implemented

You can create non admin user with only local login ability.

Screenshot_20230411-2225481080×286 18.1 KB

But how does he access remotely?
VPN? Some type of SD wan like Zerotier or tailscale? This would put them on the local LAN and this would be useless.

This goes back to the root of the issue and simply one more use case why this is needed.

My answer was specific to the case were you want a user to be able to access HA only from home.

I wasn’t answering the main thread.

The issue with HA today is that is was made by developers for developers, they did a lot to make HA more user friendly but there’s a lot of work to be able to give access to it for non techy end user.

Thus yeah, we need BRAC, if there’s security features and a API key pair instead of email/password for cloud it will let integrator use HA at their clients home, hotels or office

I also need this. Use case - external zigbee coordinator at a cabin (through vpn). Need to give cabin “admin” access to some stuff there, and cabin guests access to some (but less) stuff there.
They can absolutely not have full access to the whole HA instance.

For now I need to run a separate HA instance just for this.

Any updates on this, or we still have to rely on hacs?

What do you mean by that? Is there an addon that supports Role Base Access Control?

There was one

I don’t know if this is helpful, but I wanted to +1 this. Without RBAC things can get… well, very awkward. What can we do to move this along? I’d be happy to help with the dev effort, even.

Not exactly. There’s one that allows you to create some different permissions on a page but it looks like maybe the project is discontinued.

I imagine the dev effort would be fairly significant. You’d want to be pretty familiar with the core codebase. Read this blog post and the associated docs I mentioned in my comment above: WTH2 - WTH!? No RBAC - Role Based Access Control? (Users & Groups rights) - #14 by scottg489

Then look to see what the state of this is now. Once you have a good idea of how things work, then I think it would be a good idea to open a discussion in the architecture repo with ideas you have about implementing this and see what the response is.

So there’s been what I’d consider a fairly significant addition to the kiosk-mode custom component via this PR:

It allows you quite a bit of control to hide different aspects of the more-info dialogs. While not full-on RBAC, this gives the kind of control I’m looking for to lock down what the user can access via the UI, so I thought I’d share it here in case someone else finds it useful.

In my case, if I want to control what a non-admin user can do with HA, I add what I want to their dashboard and use these settings:

kiosk_mode:
  non_admin_settings:
    hide_header: true
    hide_sidebar: true
    hide_dialog_header_history: true

This prevents them from going anywhere other than that one dashboard (via UI controls). Check out the newly added settings in the PR and see if it works for you.

Great! Thanks for the news!
Is there a way to do this if one user has to have access to two dashboards?
Other question, can it be done for a user whose dashboard is not the default one?