Professional access control for Home Assistant: deny rules, label-based permissions, custom roles, and per-service and per-automation permissions.
Home Assistant'”‘”‘s current permission system has three fixed roles (Administrator, User, Read Only) and lacks several basic building blocks for real multi-user use. You cannot deny access to one specific entity while keeping the rest open. You cannot prevent someone from restarting HA while still letting them turn lights on. You cannot use labels (which already exist) as a permission axis. You cannot create custom roles.
This effort extends the existing permission engine to fix that, while keeping full backwards compatibility with current installations: zero behavioural change if you don'”‘”‘t use the new features.
What it adds
- Deny rules: explicitly deny access to specific entities, services or automations. Deny always overrides allow — grant broad access and then carve out exceptions surgically.
- Label-based permissions: label entities as “protected” and restrict access by label. When you add a new device and label it “protected” it'”‘”‘s automatically restricted — no need to update the policy.
- Custom roles: create roles like “Home manager”, “Guest” or “Kids” with tailored permissions, instead of being limited to the three system roles.
- Per-service permissions: control which services a user can call. For example, allow
light.turn_onbut denyhomeassistant.restart. - Per-automation permissions: control who can view, edit or trigger specific automations and scripts.
Example: “Home manager” role
A user who can control everything except protected entities and critical services:
-
All entities: read + control + edit
Entities labelled “protected”: deny control + edit
All services: allow
homeassistant.restart and homeassistant.stop: deny
All automations: read + trigger
Automations labelled “protected”: deny edit
The superadmin just labels critical items as “protected” and the permissions follow automatically.
Who benefits
-
Families with children who should only control their room'”‘”‘s devices.
Shared households where roommates shouldn'”‘”‘t access each other'”‘”‘s areas.
Landlords providing tenants with limited smart-home access.
Small offices or businesses using Home Assistant.
Power users who want fine-grained control over who can do what.
Status
Working proof of concept with full test coverage:
-
Backend: branch davefx/core — feature/professional-acl (~2,900 lines, 155 tests passing).
Architecture discussion: home-assistant/architecture#1249.
Designed to be merged as a series of small, independent PRs: deny support and label permissions first (~300 lines), then custom roles, per-service permissions and audit logging.