#Security Concern: New Dashboard Bypasses Visibility Settings

Hi everyone,

I’ve noticed a potential security issue with the new dashboard.
If a user knows the URL of the new dashboard, they can access the page directly — even if it’s not listed or visible in the navigation/sidebar.

From my perspective, this is a security risk.

Previously, dashboards were explicitly assigned to users via the Visibility tab, so access was clearly restricted.
With the new dashboard, users can now access all devices, as long as they have the URL.

This bypasses the existing visibility/access control concept and changes the behavior compared to how dashboards worked before.

I think this should be addressed, as URL knowledge alone should not grant access to dashboards or devices.

I'm pretty sure this is known. The position of the HA team has always been that there is no real inter-user security. If you give someone HA login, they can access everything.

visibility is a convenience feature only

I understand that HA doesn’t provide strict inter-user security and that visibility is considered a convenience feature.
However, answers like that don’t really address the core issue.

Previously, dashboards had to be explicitly made visible to users. With the new dashboard, knowing the URL alone grants access — even if it’s not exposed in the UI — effectively exposing all devices. This is a regression in behavior and breaks the existing mental model.

A common real-world use case is children: they should control only their own room, not all devices.

As a temporary mitigation, being able to disable the built-in dashboard until a better solution exists would already be helpful.

Is there a public todo / feature list for the new dashboards, or where would be the right place to submit a feature request for this?