Per-Item Authorization

Hi, I would like to make groups and users in openhab and then allow certain groups or users to access an item. On the Sitemap only the items should be shown that the user has access to.
Is there any plan to implement something like this in future releases or and addon / reverse proxy soulution for it?

openHAB2 has no concept of authorization.

openHAB3 currently has the concept of authorization but only Admin & non-Admin is currently implemented. Only Admin requires a login.

I do not know if OH3 authorization extends to UI visibility yet. I suspect not, but that could be a feature request.

1 Like

Not per Item but per widget on the new MainUI’s Pages UI. See [wiki] Building Pages in the OH3 UI: documentation draft (2/3), in particular the visibleTo option. You can specify role or a specific user’s name.

I guess if this is just changing visibility in the UI, it’s not actually checking any authorisation, so it doesn’t really stop anyone controlling the device - it just makes it slightly more difficult?

Sometimes that’s good enough. I agree I wouldn’t call it a security measure. That would require being implemented in the core. But it can be very useful to present a different set of controls to different users based on their role or login without needing to fully prevent their access to the Items in any way. Personal greetings, simplified UIs for guests, etc.

I agree - but it’s definitely not authorisation, as it will only work with the standard UI. Any other UI can access the information through the REST interface and there will be no limitation.

Absolutely - completely agree. But it’s only relevant for the webUI (or other UIs that may implement this of course) and is not really a security restriction.

This cannot be stressed enough :slight_smile: It’s actually mentioned in the UI at some point (when you change the visibility of a page itself).

2 Likes