#How to programmatically change a user’s password

Hello. My task is: to temporarily grant access to home assistant for one user, for example for 1 day. After that, the user should lose his right to enter the XA website.
As an idea, I think, is it possible to generate new passwords for this user every day? I want to transfer passwords via API from CRM. Or are there other ways to implement this?

what is your actual use case here?

Sorry, I didn't understand your question.

what's the situation, the problem and the desired outcome

The XY problem is a communication problem encountered in help desk, technical support, software engineering, or customer service situations where the question is about an end user's attempted solution (X) rather than the root problem itself (Y or Why?).

I need to give temporary access to my house to different people. This is for a hotel. For this I want to automatically generate and set a new password each time.
How to implement - I haven't found a way.((
Did I post in the wrong forum?

this is not really something that home assistant is designed for. it does not have RBAC so if you have 1 big HA server it would be very easy for quests to mess with devices in other rooms if you let them log in

I understand that there is no RBAC and corresponding API. Therefore, I am looking for a solution that would suit me to solve my problem

you could have separate instances for each room i guess. but people could still potentially mess with stuff so you would probably want to have a freshly configured system for each new guest. (snapshot on proxmox maybe?)
as for setting a user password. you can do this on the ha-cli in haos.
you could open ssh access to haos directly - theres methods of doing this on port 22222. then load the ha-cli and use the password reset command auth reset --username 'existing_user' --password 'new_password'

so you could make a script to reload the instance from a known working install, then ssh in and send the commands to set a random password

is it critical that the guests are able to access on their own device? for physical access or something?
a better solution would be a wall mounted tablet that is in kiosk mode that shows only the dashboard for their room

another approach would be to write your own frontend system which can serve as the RBAC and send stuff back to HA to do stuff.

however all of these ideas are not recommended and are wildly unsupported

In fact, I only have one house for rent. And I have contactless settlement. Before arrival, the guest receives a link to HA, where the standard login "guest" and a new password are entered, for example, his phone. If he had the opportunity to open the gate, door, turn on the light, etc.

це занадто складно..

english only please

okay so, you could use the shell_command integration to call the auth script

documentation shows it runs in the home assistant container context

Can you tell me how to do this?

documentation is here https://www.home-assistant.io/integrations/shell_command/
you add to the configuration file:

  commandname: command-to-execute-when-called```

so you would want somethhing like this -

  newpassword: hass --script auth --config /config change_password existing_user new_password```

the issue you have is that its a fixed command

maybe you could write a script which shell_command calls which would itself generate random password, sets it and then responds with the password which feeds up to an automation that calls it which then sends the password somewhere

it is clear how to do it.
now the task is how to set a new password

Can I try to change the password from the console? - I have an error, it says zsh: command not found: newpassword:

how are you accessing the console?

via Advanced SSH & Web Terminal. But, I realized that it won't be that easy...

you can do it from there i beleive

first you need to ensure that addon is not running in protection mode which it is by default for security

then you will be able to access the homeassistant container enviroment with docker exec -it homeassistant bash then you should be able to use hass --script auth --config /config change_password existing_user new_password

most likely, this is so. So I didn't change anything after installing it on my raspberry pi. Where do you say I can read about it, or how to turn it off?

in the addon configuration

thank you very much.
now i can change my prole from crm system.

nice, please be aware though that depending on your setup. updates MIGHT break stuff

yes, I remember that. Please tell me, is there a similar command to terminate a user? i.e. you need to log out of the system when his access is denied

theres a custom component here - https://github.com/matejdro/login_control
looks like with that you get an action which you can use to clear logins which you could do by automation

Creating a new end user/dashboard app seems like the least path of resistance. The new UI platform could support RBAC and provide a solution to this problem that has been discussed for years with no real solution. and "buy" time to solve the backend RBAC issue.

Even if you do write your own app, just be aware that the credentials that app uses to communicate with the server are the same credentials that user can use to have full access to everything via the backend APIs. So it's security through obscurity at best.

agree but from reading the community post around the RBAC topic seems most people want a UI that doesn't allow someone to stumble in to the log book or calendars shared with HA. if there was an admin UI and a User UI and the User UI fully supported RBAC for publishing dashboards that all of the settings were restricted to groups or a user policy this would be a big step forward imo