Hi Mark,
I’m using such set-up around my house with several tablets available on wall for use by my family as well as visitors. All being regular users without any technical knowledge of OH and my system set-up. It is now working in the set-up below for more than a year with no complain from the users.
Here is how I have overcome the issues you describe:
1. Multi-user support
This is something that took me the most effort. For that I have reworked the openhab-multiuser-proxy project to be compatible with OH3+ as well as contributed some changes to the OH MainUI. My working multiuser-proxy solution is here: GitHub - Davek145/openhab-multiuser-proxy: openHAB Multi-User support for the REST API v 2.0.2
What it does is that it adds real and fully working user authenthication using mTLS certificates and NGINX reverse proxy. Based on this authentication, back-end NodeJS package is getting data from OH Rest API and performs filtering of Items, MainUI Pages and Sitemaps. Items/Pages and Sitemaps are having specific ACL Tag that is than used for the filtering. I’m having hierarchy or user roles and groups of OH objects defined (i.e. authorization definition) that using a rule is than populating these ACL Tags to individual Items.
So, at back-end OH access for normal users is not using any authentication. However, using the proxy I’m able to differentiate between them and every user gets only those Items and Pages that they should get. It is much more bullet-proof and secure than the visibleTo property in OH itself, as this proxy really filters the Rest API. So the user cannot work with any Item he does not have access right defined. Not only hidden in MainUI as the visibleTo property in OH. Actually, with correctly set-up proxy and firewall I do have full control over who and to what does have access in the Rest API itself, regardless what way they access it (i.e. not only using MainUI, but also direct API request as well). Even if they would know the Item name and want to “hack it” by calling Rest API, such action would be forbiden by the proxy. I do have additional security measures set at the NGINX (e.g. WAF), but that is not important for this description.
In my set-up I do have specific PKI certificate generated for each wall tablet and other user device having specific CN and OU used by NGINX for the mTLS authentication.
2. OH Set-up
As described above, for all Items in my set-up I do have specific ACL Tag assiged that is than used by the NodeJS for filtering. This way, I do have defined subset of Items that are available at Wall tablets or for other users. As described earlier, due to full scale RestAPI filtering my guests really see only Items I want them to see. All other items are not available to them.
Similar way, I do have specific MainUI Pages prepared for them, that they do have available. And oposite, there are Pages I use, that are not visible to my Guests at all similar to Items.
What is very nice on filtering of Items provided by RestAPI is, that for standard control we all use the MainUI including Overview and Location tabs. But every user is having different set of Locations, Equipments and Points (and Pages in Menu) based on what ACL Tag is set at it. E.g. we all see “Living room”, but guests can see and control only lights. My wife can also adjust room temperature. But I can control also power sockets and other technologies in the room. And so on.
3. UI used on tablets
I have experienced exactly the same issues you are describing for the OH Android app. For that reason, I’m using this app only on phones of my family members, which know how to use it.
For wall tablets I’m not using it.
Instead, I use Fully Kiosk Browser as Android launcher at all my wall tablets. This application is able to lock the tablet to allow only specific interations with it and at the same this it is fully capable web browser including ability to use PKI certificates mTLS proxy authentication. It is able to limit even external links etc., so the user cannot leave the space you want them to be in.
I use my filtered OH MainUI as the web page provided by Fully to users. It works well and, in my view, is sufficiently bullet prove for non technical users.
I know it may all sound quite complicated and it took me a while to make it working. But vast majority was the time needed to develop the Multi-user Proxy working with OH3+ and MainUI. Now, it is ready and available to everybody as NodeJS package including documentation and guidance for installation and set-up. So, shall not be complicated and time consuming any more.
For sure credit goes also toe Florian, as he made the original Multi-user Proxy for Sitemaps that I have used as the start for my work.
Hope this helps.