We definitely need a “Year of the User Management” 
4 Likes
It would be great to have RBAC implemented. For now, I have a workaround whereby I deploy a separate HA instance for my kids which connects to the main HA via the Remote-Home Assistant custom integration. It allows me to restrict the entities that are made available to the kids’ HA instance and because they are not given admin access, they can’t do any automations, etc. I haven’t tried but perhaps there could be multiples of this type of instances as well.
3 Likes
It is just mind boggling how such a well-known platform was released without basic security features like RBAC. How many years will it take to implement such a basic feature?!?
2 Likes
I have considered this for my situation many times, but don’t have much time to dedicate to it. I know my next question will depend greatly on each individual’s background and available hardware, but I run HAOS in a VM…wouldn’t be too bad to spin up another instance so…
Would you say the effort for doing this is:
A) Trivial
B) Takes a bit of work, but doable in a couple/few hours
C) Complex and takes the better part of a day or longer
thanks
Found this thread from another thread… figured I would post my thoughts here since it is recently active…
I just setup my 8yr old’s ipad for home assistant to tame/tone down the “Daddy can you make my lights blue, 2min later… green, 30sec later red…” and so on. Technology is great sometimes and other times requires a beer for reasons like this.
So, I did the user visibility for the “Kids Room” tab on my main dashboard, which works great! However, we now have the “Assist” option; and I gave this a quick test and all I can say is “Oh boy, this is gonna be fun!” As an example, Even with my Office Desk Light not being visible on her iPad, she is able to type in the response to Assist for: “Turn off Desk Light” and now I am typing this in the dark again! She just has to know the device name.
The options in the companion app let me “hide” other dashboards like energy, keymaster, and other critical things. But once she figures out what security by obscurity means she will know how to unhide these.
So, I am +1 on having a better RBAC system in place.
Kids are the future, so there will soon be no way to keep them from only getting in the cookie jar! They will someday run circles around us.
1 Like
Reminder to everyone that kiosk-mode does what a lot of people in here are looking for.
Create a dashboard with only the entities you want a user to see and configure the device they use to use that dashboard by default. Then use kiosk-mode to hide the parts of the UI that you don’t want them to see (header, sidebar, more-info dialog options, etc). It offers a lot of control over what you can hide and whom you hide it for on a per-dashboard basis.
Here’s a simple config that I use to “lock down” a dashboard so they only can access directly what’s on it VIA the UI:
kiosk_mode:
non_admin_settings:
hide_header: true
hide_sidebar: true
hide_dialog_header_history: true
2 Likes
I already use Remote Home Assistant (where the main HA is actually the master of some remotes), so adding the main HA as a remote is trivial.
I run HA Core, so I just spun up an additional instance using the same python environment, but in your case, you might need to spin up a new HAOS/VM which will not have any integrations (apart from the Remote Home Assistant) or automations… really just using the frontend. Perhaps you might want to copy some existing cards over.
Probably a couple of hours.
2 Likes
Presumably, no matter how much you hide in the UI via workarounds, unless you can prevent the ability to type e or c anywhere on the dashboard - it definitely is not a suitable workaround.
I’m aware a staggering number of users don’t know about these shortcuts which have been around for a few years now, but - it would be very very easy for someone to stumble across them.
1 Like
Those shortcuts are only enabled for admin users:
Not sure what you mean by “real reminder”, but I never said it was the “same thing”. I was offering people solutions instead of just complaints as you are.
1 Like
Oh excellent, that’s good to know, otherwise people can get to parts of the system that they definitely should not be accessing.
2 Likes
Kiosk mode works to present limited views to users and provide a simplified interface.
Kiosk mode does not prevent those users from url hacking and api usage beyond what is desired or provided in kiosk mode.
Kiosk mode is great for giving grandma an easy set of controls. Kiosk mode is not great for preventing the teenager from pranking the lights in your room in the middle of the night or worse.
2 Likes
maybe this is the wrong group to chime in, and if so, please let me know. I have two airbnb’s with in wall tablets with HomeAssistant. Not a problem there, But when I create a user for an airbnb guest - who knows nothing about home assistant, I have not figure a way out for them to login and only see the asssigned dashboard.
is this really that hard to implement?
in other words either via the HA App on Android/Iphone or an IP address, we are alwasys forced to ‘configure’ each user? that seens to be quite painful and for sure not practical!
If there are ways of doing it, that would be wonderful, but I sure don’t see Kiosk being that option.
1 Like
Yes you need to configure a user. Else you cannot grant access. No you don’t want a system that doesn’t require user accounts. It’s an incredibly bad thing from a security perspective (and yes tbh out of scope for this thread. - if you want to continue the discussion probably open a new thread after searching)
That said most people don’t ask thier transient users to install anything and use a kiosk in concert with a preconfigured user account. Heck most tenants don’t want complex.
Yes that means you do not get zone data (no GPS-no app) so you cannot do location aware unlocks etc. but tbh if I were your tenant I’m not giving you that anyhow. And I’m certainly not reconfiguring my install of HA companion to talk to your install…
Just set your locks using a lock code solution in combination with whatever you’re using for booking make the lighting as automatic as possible, give a small kiosk or a tablet for fancy movie controls and they’ll be pleased as peaches.
Mind that this is a Home Assistant, not a Business Assistant 
I’d also not recommend exposing HA directly to any people you can’t trust → like airbnb guests. It will not be safe in any way.
I guess the way to go is to find some kind of KIOSK software that could REST API to HA and recreate the whole UI upon it. It should limit the user to not being able to see/change the REST details though. Like a public information kiosk or sth, idk. It’s a long shot anyway.
If I were to supply airbnb guests with a UI to control things via a tablet. I would roll my own dashboard that outputs to a single endpoint.
Something like HA fusion would probably get the job done. I’d have to verify it doesn’t have the ability to edit things via it’s frontend, I haven’t used it yet. But based on how it’s built, I would assume that you wouldn’t have that type of control. https://github.com/matt8707/ha-fusion
EDIT. nevermind. It looks like the editing is handled in the container as well.
Which means that leaves us with appdaemon dashboard as the easiest route to get the job done.
2 Likes
If anyone is using Node-RED (which I know petro is not ;)), you can create dashboards in there. They aren’t the prettiest, but get the job done. I used them in the past before kiosk-mode had all the features it does today.
Nooooooooooo way. Hard pass.
2 Likes
I too have a few Airbnb properties, it’s why I wrote Rental Control for the lock integration to calendars.
My properties have a few smarts in them, but in all cases (that matter) the guests have standard physical controls. The only exception is for garage door access. For those guests that need it (medium - long term) guests I provide access to the garage door remoting via the Limited Guest addon. It doesn’t exactly give the prettiest interface, but for a simple toggle button for opening / closing a garage door with time limits it works well along with a custom URL.
Basically, I provide a situation where the guest really shouldn’t have to think about the fact that the house has some smarts, it just does the things it needs to and then gets out of their way.
2 Likes
No airb-bnb business thing here. Just a normal home with two smart kids who will mess with the configuration as soon as they figure out they can control more than just the lights.
This discussion has been going for a few years, how is it going with the groups and rule based access? I would really like to give the kids an account so:
a) they can control their own lights without changing other stuff
b) have the HASS app on their phone so I know when they are safely at home (and they know I am at work or at the shop, maybe)
How can I help to get this Groups or “Rule Based Access Control” working?
1 Like
I have a housemate and it would be great to allow minimal access to only the stuff I think he needs. Nothing to do with a business but simply making sure someone doesn’t break my setup or play with things I don’t want messed with. ie: my irrigation which is fully controlled by HA.
1 Like