Custom roles and permissions

buzzdeee · June 16, 2026, 8:47pm

Hi,

I’m with openHAB 5.1.3 on OpenBSD amd64.

as far as I researched, it’s not possible to manage custom roles for users in karaf console, as it’s still an open enhancement request: Add/remove user roles via karaf console · Issue #2453 · openhab/openhab-core · GitHub

but I found I can edit:
vi /var/db/openhab/jsondb/users.json

and just add multiple roles to the array alike:
`“roles”: [“administrator”,“parent”],`
And then in karaf console they are shown:

openhab> openhab:users list
sebastia (administrator, parent)
test1 (child, user)
test2 (parent, user)

I found that at least user or administrator role are necessary, but then can add more roles to each user. So I have to combine my custom “parent” and “child” with “user” role.

So far so good. In the Pages, I can use:

visibleTo:
- role:parent

to hide elements from children. that’s nice.

The default Overview page renders my locations with equipment semantically, and as far as I figured up to now, I can only hide the complete overview page.
I haven’t found a way to for example hide some of the equipments, or make them read-only.

Can I do this in the overview page, or at the item or in the model?

When I create a custom page, and I have controls, which for parents I want to have usable, but for children, I’d like to have them read-only, because they may show a current state.
Is that something I could achieve?

cheers,
Sebastian

rlkoshak · June 16, 2026, 9:36pm

You can hide them at the Item/Widget level. To hide them in the tabs of the Overview page you go to the Item you don’t want to appear, click “Add metadata to Item” and select “default list item widget”. There you can change the widget that will be shown in the cards on the Overview page. At the bottom you’ll find the “visible” and “visible to” fields.

However, I don’t know if the list for the “visible to” field will pick up your custom roles or not. If not you can just select “admin” and then opn the code tab and manually add your parent role or what ever.

Note that the “visible” field will take an expression so, for example, you can hide a widgetbased on the state of Items or such.

For custom pages, one good approach is to add a “default stand alone widget” to the Equipment Group. Then you can just add the Equipment to the page and that is the widget that will be used.

Having widgets visible but read only for users of certain roles will probably require quite a bit of complicated expressions. But the user role is avaialble to the widget expressions so that should be doable. It might be sufficient to change the action usign an expression and ahve it set a variable for teh kids role and do the real action for the parent’s role.

But if you want to actually change the widget entirely it might be easier to create two widgets for your custom page, one read only and one interactive and use the visible to fields to hide one or the other based on the logged in role.

Or just create two separate pages and hide the pages based on the roles.

buzzdeee · June 17, 2026, 6:50pm

Hi Rich,

the hint with the “Add Metadata” → “Default List Item Widget” was the missing piece.

In the visible: I tried alike:

visible: =device.clientInfo.roles.includes(‘parent’)

but that didn’t work out. “Visible only to” only allowed me to select between “Administrator” and “User”. It doesn’t seem to be aware of my custom roles or groups.

But switching from “Config” to “Code” Tab, I was able to:

value: " "
config:
visibleTo:
- role: parent

and that worked like a charm.

There are a few devices I definitely don’t want kinds to tinker with, and being able to hide them this way is exctly what I was looking for.

Now also found this: User Interface Design Overview | Documentation Preview

For my kids at home, totally fine, but wouldn’t use this in something more public then

thanks,

Sebastian

rlkoshak · June 17, 2026, 7:51pm

According to the docs the expression would be

visible: '=user.roles.includes("parent")'

Note the quotes around the expression are required. And I think using user over device is more flexible and will work no matter what client is used to access MainUI.

Indeed. Visiblity is merely cosmetic. All the Items are avaiable through the REST API. Someone who knows OH or is even a little bit determined can access and command any Item.

Nadahar · June 17, 2026, 8:19pm

I’m not suggesting that this makes it somehow “secure”, but almost all the REST endpoints require admin privileges. You specify the level required when you declare the endpoint, and it seems to me that this is mostly just copied without more reflection, so that I’ve only seen a very few that doesn’t require admin privileges.

buzzdeee · June 17, 2026, 9:02pm

yes, just confirming above snippet also works.

rlkoshak · June 17, 2026, 9:48pm

Items do not.

Those endpoints required for sitemaps and MainUI to provide the user facing stuff are available to the “user” role.

The point is that access is to all Items. Any user logged in with the “user” role can access and send command to any and all Items. If the implicit user role is enabled, anyone who can access openHAB on the network whether they are logged in or not can access and send command to any and all Items.

Setting the visibility of an Item’s widget so only the admin role can see it does not prevent someone with a user role accessing the Item. It just hides the UI widget from the Page or sitemap.