I was adding my wife as a guest user after adding the mobile app to her phone.
When I logged in with her account, I went to check the device list to see if her phone had been discovered / added.
Just to check, I went to delete my phone from the device list, fully expecting a "you don't have permissions" type message. But instead, it deleted my phone, no problem.
What is the difference between a "guest" account and a "admin" account?
Here's some info.
Yeah, I was able to do all of that.
I don't understand why my wife's account -- as a guest account -- she has the ability to delete anything.
The guest role is only a setting in portal. Guests can't add other users.
Currently the role admin and guest have nothing to do with what happens on the hub.
If you want to restrict dashboards, you can make them read only or password / pin protect them.
If you want the hub to be secured, we have a separate local hub security login account you can also set to lock down the hub.
I need to do some more reading / understanding the purpose of the Local Hub Security Login. I turned it on at one point, basically got locked out, and needed to reassess what I was doing with it.
Thanks for the quick support!
I WAS considering using HE hub to do my security for my business lication (locks and alarm) until I realized that ANYONE with a URL link to a dash board can access all of the devices on that dashboard with no login or password required.
This means that a disgruntled employee could share the URL with who ever they pleased and unlock the doors of the business, disable the alarm, etc....
I bought the HE hub because I thought I read that you could share only the devices that a person needed access to.
Apparently I interpreted wrong.
So unless someone can point to me a way of securely using this hub... its going in the trash...
A total free for all.
Not going to happen
This is correct. So if you don't want someone to access locks and sirens, then don't make those devices available on the dashboard that you give them access to.
Here is an example of the point I am trying to make...
I don't know you and you don't know me
Click this link...
By having this link you (a stranger to me) can unlock the 2 locks on the dashboard.
My opinion... this should not exist and creates a serious security issue.
Now the app knows who you are and if I add you as a guest, then I ought to be able to authorize specific devices to you and hide others.
Worse than that. With that link I can view any dashboard that is not pin protected and I can control any device whether itβs used on a dashboard or not. In fact with the uuid and oauth token I can control any device so long as the dashboard app is installed. Even if none of the dashboards are cloud enabled.
PS you need to change your dashboard OAuth token ASAP!
This is one of the many reasons my hub has been firewalled from the internet.
Basically the answer here is to not give anyone access to any dashboard without 100% trust in them having access to control the whole system
I do have ways to lock down a dash so people cannot access other devices (removal of the options buttons), but it is not something to post publicly (if used wrong it can really mess things up). If you need that options PM me to discuss.
I create different dashboards for different people. If I no longer want someone to have access I simply delete their dashboard.
You can PIN protect individual dashboards, and change the PIN # if you want to revoke access from someone.
Simply changing the dashboard number in the URL opens up a lot of access. I know it is on the development list but separate oAuth tokens per dashboard are needed.
At DASHBORD if you have a PIN#.
If using MOBILE APP + HUB WEB UI + SELECTING DASHBOARD it dose NOT opens, it goes in to a white screen but never askes for PIN#.
But then when using the movile PHONE APP if you directly select at the boton left coner dahsbord icon, everything is fine .
Can somebody please check if has same problem.
Download the Hubitat app
