Discussion: Multiple Users / Access Control / Security

There have been a number of discussions around multi-user support over the past several years. This topic has gotten renewed focus recently. The main discussion takes place on the Eclipse Smart Home GitHub site, so I wanted to be sure that the openHAB community is informed on the progress and contributing requests.

At this phase of the process, I am trying to make sure we are accounting for all the ways people would like use security. We already have a decent list covering topics such as:

• Restricting access to certain resources (Items, Things, Sitemaps)
• Multiple login options (local username/password, OAuth2, LDAP)
• Integration with common user interfaces (Basic UI, Classic UI, Paper UI, HABPanel)
• openHAB Cloud integration
• Restricting access based on time of day

You can help by:

• Describing how you would like to use security
• Listing any user interfaces you use that have not already been listed
• If you are using openHAB for something other than home automation (such as in a business or convention center) please describe the setup and how user security would help

The design and development process is being coordinated using the GitHub issue and Google Document listed below. If you would like to get involved you can either participate in that process directly, or you can reply to this forum topic.

For the time being, please limit this discussion to describing your desired use cases.

Great to hear there is some progress on this topic.

Another use case I can think of is “voice control”.
Like Alexa and Google Home.

I think it would be usefull for families if you could set different permissions based on the person that is giving a voice command.

I am not sure if this is actually possible and if this is an important issue.
But you might want to keep this in mind.

I use openHAB for home automation only.

user and Groups

Therefore for me it would suffice to have users only - but in bigger families or if I’d like to invite my parents or in-laws into this, it would help to have Groups also. I see something like this in Google docs, so I guess, I’m fine!

Temporary Access

coming from users and groups it would be great to have some temporary access, which can be invoked and revoked easily depending on rules (known scenarios) or depending on manual review by admin and/or manager (unknown “new” scenario)

voice access

I second Christoph’s thoughts, but I guess this has to be implemented within the voice Software (e.g. Alexa, Google home) - if I’m Thomas in Alexa context, this context should be given over to openHAB.

SAML, LDAP, AD, …

speaking of users grants, I think some kind of identidy management integration would be nice (ok, for personal use a bit overblown, but if the base is set, I think, it’s not that hard to integrate something like this. I read in the forum, some use openHAB for automating a bunch of rooms (Hotel, pensions, …) - this would help them integrate the actual users. even more for the ones having openHAB in business context.

openhab Cloud

This one is especially important. I think, I’m not the only one having a bunch of sensors, which could be interesting for others. I’m just thinking of field service. If they see the environment and my sensors before they drive to my place, it would help multiple drives. And I personally have a openHAB installed in my remote Cottage - I’d like have easy access for its sensor’s data for my family. would be cool for them to have the Infos int the App or WebApp.

just my 2cents! And cool to hear an update! Thanks guys!

Another important feature would be to easily control permissions via GUI (sitemaps etc.).

Like giving a family member “master access” temporarily without editing a complex configuration file.

Some first thoughts on the sorts of things I’ve seen asked for on this forum:

Users:

• ability to know who issued a command to an Item in Rules
• ability to have separate sitemaps/habpanels on a per user basis
  • default interface for unauthenticated users?
• ability to show/hide/render inoperable elements on a shared sitemap based on the user (can probably be handled by the previous point

System:

• ability to put username and passwords needed by bindings (e.g. MQTT, HTTP) into an encrypted store instead of plain text in the config files
• built-in authentication and authorization (no more reverse proxies)
• the ability to set the base URL so those who use reverse proxies can use addresses like https://my.homehost.org/openhab

This is great news that this is starting to be looked at!

My use case is relatively simple.

I’ve a room I regularly let out, so I want to give visitors access to a single site map

The WiFi is managed, so I’d like to do this by ip address.

I think the comments above describe a pretty complete Description other than the ability to define users by IP address

My use case is also relatively simple.

I’d like to restrict access either to an item for a given user, or alternatively to a specific sitemap. Basically if a user could be given rights to access some items but not others, (or some sitemaps and not others) then this would solve my need.

(We rent out the house, so I’d like to give access to the guests to the lights for example, but not to the irrigation system)

Hi,

great, that there is progress on this topic.

I would like to have different users or groups having access to specific sitemaps.
Granular access to specific items based on users or groups would be also a great feature.

Best regards,
Jens

Outside of the box, here. I’d like to have the openHAB app replace some user-specific functionality that many are doing with apps like IFTTT today. Simple things like geofencing, wifi status, location, NFC, etc per user would go a long way and also simplify things by not requiring extra apps for such fundamental user inputs.