Link

Users and Security

Libre Home strive to achieve maximum level of security and privacy protection.

We design a custom security model that is optimal for both residential and enterprise users.

User and Group List

The screen lists all users and groups defined in the system.

Icons marked red are with super user (administrator) privileges.

Security Model

User and Group

Group is a list of users.

Privileges

A user or group may have special privileges.

  • Super System Admin - Super user. A super user has maximum privileges.
  • Device Add Device - The user/group can add new devices to system.
  • App Add App - The user/group can add new App to system.
  • Task Add App Task - The user/group can add new App Task to system.
  • Task Add Scene - The user/group can add new Scene to system.
  • User Add User - The user/group can add new user to system.
  • Enable Account Enabled - The account is enabled.

Access Control

User/Group may have a list of access to other objects, such as devices, apps, tasks, and users.

  • Read Read
    • For devices, get status
    • For other objects, know the existence
  • Control Control
    • For devices, control
    • For tasks, turn on/off
    • For users, send messages
  • Remove Remove; user can remove this object from system
  • Config Config; user can manage the object
    • For devices, change attributes
    • For tasks, edit the task arguments
    • For users, change user attributes; for groups, edit the group members

System Objects

Access control may be defined on types of system objects below:

  • Device Devices
  • Device Logical Devices
  • App Apps
  • Task Tasks
  • User Users

Group Privileges/Accesses is Recommended

Inheritance

A user inherits privileges and permissions of all groups the user belongs to.

Note: Use of groups to assign permissions and access controls is recommended.

Privilege Inheritance

In stead of assigning “System Admin” privilege to individual users, it’s recommended to define an “Administrators” group, assigning “System Admin” privilege to the group.

Every user in that “Administrators” group will inherit the “System Admin” privilege.

Access Inheritance

Assuming we have a light named “Front Yard” in the system, if we assign “Read/Write” access of the light to the “Users” group, then every member of “Users” will be able to “Read/Write” the light, meaning getting status and control.

Simplified Security Model for Residential User

  • Residential setup can have 3 groups:
    • Administrators
    • Users
    • Guests

Passwordless Design

Only one master password is required for Hub recovery. Master password never leaves your home.

Hub admin manages mobile device accesses for each user. Each device has its own encryption keys. Mobile access can be easily added/removed.

Mobile List

Special Notes on Combined Inheritance

A user may be member of more than one groups. The privileges and accesses defined in different groups may be different. The inheritance rules still apply, by combining all privileges and accesses.

Account Enabled

If this flag is unchecked, user will not be able to login to the system.

**Note if a group is disabled, all members (including indirect members through nested sub-groups) will be denied login.

If a user belongs to two groups, and one group is disabled, the user will be disabled, even though another group is not disabled. “Account Enabled” flag is more stringent than other flags.**

Grayed Out Privileges

A privilege may be displayed grayed out. It is because the user/group inherits that privilege from parent groups.

Priviledges

Grayed Out Accesses

An access may be displayed grayed out. It is because the user/group inherits that access from parent groups.

Accesses


Table of contents