Tvheadend

Don't forget that the user access is chained (at least I wasn't aware of that until recently).
So, you go from down the top of the access list and whenever the access matches that access entry tag list get "added" to the final tag list.

As an example, imagine that the user matches first an access entry (by IP) that has access to all tags then down the list it matches another access entry (by username).
The tags defined in the second entry are "added" to the first one - the final tag access list is "all tags".

If this is the case, you should define on the second entry an "exclude tag" list (to remove from all tags the ones you don't want to give access to that user).

But the "exclude" functionality is semi-broken:
https://tvheadend.org/issues/5288
https://github.com/tvheadend/tvheadend/pull/1199

I do not have a second "*" entry (as far as I understand/have figured out only those match without a username) that could match.

I can only allow access to an username, not more users.

I think it is still bug

Could you show '--trace access' lines ?

Sure:

http: HTTP/1.1 GET /playlist/channels{{Host=xxxxxx,X-Real-IP=x.x.x.x,X-Forwarded-For=x.x.x.x,Connection=upgrade,user-agent=Mozilla/5.0 (Windows NT
6.1; rv:60.0) Gecko/20100101 Firefox/60.0,accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,accept-language=en-US,en;q=0.5,accept-encoding=gzip, deflate, br,upgrade-insecure-requests=1,pragma=no-cache,cache-control=no-cache}}
access: x.x.x.x:<no-user> [SA W       ], conn=0:s0:r0:l0, profile=ANY, dvr=ANY, tag=ANY 

Already looked az those (and enabled http trace aswell), but didn't see anything that's wrong. The IP is matching and there is a channel tag checked for that user.

I know it's a stupid question but: do you have "Channel tags" checked on the "Change Parameters" user access config?

Not a stupid question....

This can be closed, I misunderstood what "Change Parameters" meant, I interpreted it as "user can change the following parameters".

Thanks guys!