Restrict Logbook and History to admin

[seblu]

Hello,

Currently Lovelace let regular users open Logbook and History tabs. From there, they can spy everything happening on HASS and access to entities not provided via panels.

This disclose a lot of information which are not suitable to regular users and until a proper way is found to give fine grained accesses, I think we should not allow access to these information to non-admin.

Regards,

[Youpimatin]

I agree with this,
and I add that the Map tab may be restricted to admins too.

I hope that ultimately we could select users that have access to these tabs.

[initd0]

Agreed, i actually cant believe this isnt included as a security feature.
Whats the point of hiding Views if users can just simply look at the logbook and follow detailed information on entities?

Can this be looked at please? its a simple hide/restrict feature for specified users.

[edestecd]

In addition history and logbook do not honor permissions on entities as described here: https://developers.home-assistant.io/blog/2019/03/11/user-permissions/

That would also be a legitimate solution. There is simply no way I can find to restrict access to these so I have resorted to disabling them entirely which is very annoying. I would like to be able to offer access to folks that I do not want knowing the history of every entity

[ChrisBaker97]

In addition history and logbook do not honor permissions on entities as described here: https://developers.home-assistant.io/blog/2019/03/11/user-permissions/

On top of that, it now seems as if Home Assistant overwrites .storage/auth on reboot, which was quite a disappointment after spending a great deal of time meticulously adding only the entities I'd like our pet sitter to be able to access through these various back doors on the simplified interface I've created for her. 😕

[edestecd]

If someone can point me in the right direction I can start a PR for this.... I'll try to poke around but some direction may be helpful.

[Ronaldo0611]

If someone can point me in the right direction I can start a PR for this.... I'll try to poke around but some direction may be helpful.

that you mean? If someone can guide me, I can start a pull request (PR). I'll explore the codebase on my own, but any direction on where to focus would be helpful.

[dougiteixeira]

It would be nice if the energy dashboard also had an option to show or not to non-admin users.

[kongo09]

I see this in context of #11778 as a general dashboard feature

[FredFredrickson]

Any update to this? This is a serious security concern as it exposes GPS coordinates to all users.

[initd0]

it seems we are not getting the attention of the devs. Is it possible someone here can ping one of the main devs to just have a look at this and provide a possible solution so we can see if we should keep our hopes up for this or not?
How many years exactly must pass so we can get noticed about this?

[FredFredrickson]

I'm not sure how to ping the devs so hopefully somebody with more knowledge can do it.

This security hole is a big one. If you want to add your kids to the presence monitoring, they de facto have the ability to track your GPS anywhere you go. That's a major problem.

[kongo09]

I don't think there is any need to ping anyone. Generally, the Devs have a pretty good overview of discussions like these.

Please keep in mind that this is a volunteer dev effort and not a product led project. Most stuff happens because someone has will and capacity to do it
Not because it is ranked high on a roadmap. That doesn't necessarily lead to the best outcome from a user perspective, but that's the deal.

[FredFredrickson]

I wish I knew more about the project or inner workings I'd be happy to contribute. I don't even know where to start on a feature like permissions.

[jburget]

Ok, I understand implementing user permissions is quite complicated. Especially in such a huge and complex project. As a easy start, I would suggest to disable creating access tokens for rest API for non-admin users. I can imagine my son growing up and hacking into HA via log messages, detailed documentation, and access token generated from his account.

[jburget]

quick update, I was searching around, and founded some notes in documentation about it: User groups, and structure of policy permissions. Of toppic, I know. It is backend. I tested to do some changes in .storage/auth file, and it removes my custom groups, and also removes any changes I make in user's group list. Change disapears when someone is trying to log in. So I guess it happens when file is loaded to program.

But I am happy to see some base structure for permission system. I will try to search this topic in core repo, and add this info, there.

[RoboMagus]

An extension to this, but very much related, would be the permission of the more info dialog that can be accessed from the dashboards. There can be additional entities exposed through there and it can be used as a steppingstone to control entities that would otherwise be unreachable for unauthorized users (by e.g. navigating through related devices / entities).

Edit:
The additional settings, and related entities etc. are behind admin wall already so that is not an issue. But having control over what users get to see the more info dialog at all would still be appreciated.

[Kernald]

There are a lot of ways to access things you shouldn't be allowed to access already, unfortunately. For example, if a Lovelace view is not visible to a user but they have access to the view before and after, the URL will go from e.g. lovelace/2 to lovelace/4 when navigating from one view to the other. What do you know, typing manually lovelace/3 (which is not that hard to guess...) works just fine and will open the view that's supposedly not visible to said user.

It's... not great.

[illnesse]

it was sad to realize user permissions management is pretty much nonexistant in HA, at least not in a useful state :|

[tybeonagy]

I just want to ask is there any update on this topic?
Currently I want to setup Home Assistant App in my little brother phone but I don't want him to access Map, Logbook, History, etc...

[iainp999]

Does anyone know if this got any traction?

I'm chasing a few threads on the internet as, for me this is a big omission - to me, even more important than "year of the voice", maybe we should have had "year of the security"? :)

Joking aside, I really don't want a lot of my users (we have a few guests using the official app) viewing logs etc.

[iainp999]

It seems odd, and negligent, to suggest that security should not be at the heart of software that controls your home.

[jp83]

I agree, I have a use case with a shared use property. I'd like to administer it but give certain users/guests basic access. It might not be fully locked down and secure, but at the very least would like to hide/disable log and history from UI as discussed here. As a workaround for more granular control I had thought about running another HA instance connected to the main one via just partially/explicitly subscribed MQTT. It's redundant but this could even be run in another container, possibly even as an add-on, but again fundamentally would like to remove log and history from this.

I can understand hesitation against doing this in the name of security if that somehow implies things are secure at a deeper level which might require significant rework. I just see this part as a basic user preference request to limit the UI.

[brianmay]

In my case, we have a number of people in our house/family, and various ongoing conflicts. I would like my home automation to be able to make decisions based on the sensors on their mobile phones, but if I did this using the home assistant app I would be granting everyone full access to everyone's data, which would likely escalate the conflicts. Especially the location data. There doesn't appear to be anyway of saying "allow this use to connect and supply data from sensors but restrict access to stored data".

If you have a simple household, and everyone trusts everyone else, I agree, there is no problem. But in my experience families are almost never this simple.

[FredFredrickson]

Agreed with brianmay here. I want to turn on my heat when me or my wife are coming home from work. But that puts a real-time tracker on both of us. You can literally just check the map and see where the other is, even outside designated zones.

That completely fails both the wife-acceptance-factor, as well as my own privacy. That's just too much for a normal relationship.

[gooba42]

I'm trying to get my kids access to HomeAssistant controls because they also like to be able to control lights and fans. I don't want them to change the ad blocking/parental controls though. It would be awesome if at the add-on/integration level I could say "Not for kids".

There are privacy and security implications to "Everybody has everything" but my immediate material concern is "Don't let the kids screw with the network" and it's not supported currently.

[mcblum]

Question for anyone still monitoring this thread -- did RBAC ever get implemented? I don't know Python at all, but I could do the frontend work if someone could do the backend side of things.

[onthegrid007]

I think Home Assistant is dead because of this there's a couple other home automation systems that work better and have more security Unfortunately

…

On Tue, Aug 20, 2024 at 10:06 AM Matt Blum ***@***.***> wrote: Question for anyone still monitoring this thread -- did RBAC ever get implemented? I don't know Python at all, but I could do the frontend work if someone could do the backend side of things. — Reply to this email directly, view it on GitHub <#7361 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AKLWZIQ3Y3CEAME5UUJJXNTZSNZTHAVCNFSM4STMIVWKU5DIOJSWCZC7NNSXTOSENFZWG5LTONUW63SDN5WW2ZLOOQ5TCMBTHE4DINZY> . You are receiving this because you are subscribed to this thread.Message ID: <home-assistant/frontend/repo-discussions/7361/comments/10398478@ github.com>

[tuomasva]

can you name some?

[onthegrid007]

HomeLab I think is one of them

[tuomasva]

A lot of "I think" here.

[onthegrid007]

No idea haven't looked at it in years but unfortunately this has been an issue for some time now also meaning even if you even make a PR you may not have an "active" maintainer to publish and approve it...

…

On Thu, Aug 22, 2024 at 6:57 PM Ronaldo0611 ***@***.***> wrote: If someone can point <https://gowelllive.com/8-best-mattress-toppers/> me in the right direction I can start a PR for this.... I'll try to poke around but some direction may be helpful. that you mean? If someone can guide me, I can start a pull request (PR). I'll explore the codebase on my own, but any direction on where to focus would be helpful. — Reply to this email directly, view it on GitHub <#7361 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AKLWZIXXD66HSUT7GMTF463ZS2JHTAVCNFSM4STMIVWKU5DIOJSWCZC7NNSXTOSENFZWG5LTONUW63SDN5WW2ZLOOQ5TCMBUGI2TCNZV> . You are receiving this because you are subscribed to this thread.Message ID: <home-assistant/frontend/repo-discussions/7361/comments/10425175@ github.com>

[onthegrid007]

Correct.

…

On Fri, Nov 1, 2024 at 11:40 AM Tuomas Valtonen ***@***.***> wrote: A lot of "I think" here. — Reply to this email directly, view it on GitHub <#7361 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AKLWZITO7C27ZV24D2O5TH3Z6PDI7AVCNFSM4STMIVWKU5DIOJSWCZC7NNSXTOSENFZWG5LTONUW63SDN5WW2ZLOOQ5TCMJRGI2TANRS> . You are receiving this because you are subscribed to this thread.Message ID: <home-assistant/frontend/repo-discussions/7361/comments/11125062@ github.com>

[Keili78]

In my oppinion, managing of ACLs for each Device / Entity is not the way you want (huge config overhead).
Maybe it's possible to restrict non admin users to theyer dashboards only and give them the ability to search the entities, which are linked on the dashboards they've access to.