It could be usefull to have a user setting to enable safe mode on the account.

So that each time this user connect he is in safe mode.

If you mean, a user that can not damage anything by accident? Give them only read access. If they also need to make changes, but only rarely, give them two accounts. One read only one for general day to day use and a full one for when they know exactly what they wish to change.

If they cannot be trusted to use safe mode by immediately clicking on it after logon, what can they be trusted with?

I prefer trusting machines than myself or other users.

Read only is rarely used in the field simply because if you need to make a modification then you need to logoff and logon.

I think than default safe mode can be interesting.

Having to drive 300 or 500 km to a remote site because you forgotted to use safe mode is no good...


I prefer things that are safe by default, and removing safe mode if needed.

I would like this. I forget safe mode all the time.

Don't forget that to apply the changes you made in Safe Mode, you need to exit it. If you never knowingly entered it, it will be hard to get out, and could cause confusion why nothing is working.

That's true, but I'd rather apply changes twice than lock myself out. Or at least have the option to.

Currently we can't do it, as safe mode utilizes the not-so-advanced "history" menu and undo function. If two people use safe mode at the same time, things will break. We are planning to make a new and advanced command history system where this will be possible, but that's for v6

The safe mode button could be flashing and orange when in safe mode. So that you can't miss it.

Then allowing default safe mode by user basis could be interesting as well, so that if you don't like it you can disable it for you.


As we are in management things, i think it could be usefull for V6 to have a better remote console terminal, with shared session and more than one screen possible like localy, something we can have easily with "screen" terminal deamon under Linux.

Fisrt user enter "screen", second enter "screen -r -x" and you are in the same terminal session. Usefull for learning or checking things between technicians. It's even possible with screen to record terminal session. Something that could be usefull for support.

We could have as well something like : "a user is actually online on this router, do you want to share the console session with him ?"

I have found the system of a 'read-only' account very straightforward. I use it for all day to day business, I can see most things with no problems and cannot break anything! I found in the past that it far too easy to make changes to the order of firewall rules by accidentally drag and dropping rules when moving the mouse cursor using my laptop trackpad. So a read account is perfect for investigation and just looking.

When I am ready to make a change, it only takes a few seconds to log back in with a full account to make those changes.

I have only ever used safe mode for performing changes where I think it might possibly go wrong and it will take too long to drive (or with two customers) to fly to the radio site to repair the damage I caused.

For me, there is a list of many other things that can be improved with Winbox before spending time developing a change to this one!

Any news on this feature? This is probably one of main features that prohibits me from considering Mikrotik devices for any kind of serious production usage (yes, I am spoiled by Juniper's commit confirmed that saved my ass a couple of times).

Let me explain why - when you are rested and your brain is working, you are very unlikely to make a mistake in config that would render the device unusable. However when you are tired, that's when you forget to click the safe mode button and that's exactly when you have the highest risk of making a serious mistake during the configuration.

I personally can settle for the same way safe mode is working now, just with an option in Winbox at the startup saying "launch in safe mode" that would simply click the safe mode button for me in the beginning. If somebody else is editing in safe mode - I will get an error message, which will at least give me a reminder (plus I would prefer to know that somebody is changing settings along side with me anyways). To save the changes I would need to click "safe mode" button - that's similar to clicking "apply" or "save configuration" in other GUIs, which is something everyone is used to.

P.S. Maybe I didn't look hard enough, but while I could find a note saying that default timeout for safe mode is 9 minutes, I couldn't find any information on where and how to change those settings.

Let me give another reason this is important:

We have a NOC with many people having access to many routers. Our core infrastructure is redundant enough and locked down so no one can login and cause major damage in the core.

However, any users could write a script to cause serious damage to the endpoint devices (Mikrotik routers on customer premise). We've never had an issue with a malicious technician in ~15 years but it is an outlying risk. In order to provide the best service, we want our technicians to have access to these routers. Any tech has enough access to destroy all routers in a matter of minutes. If safe mode was required for these users, it would be much more difficult to cause serious damage.

For this purpose, safemode would have to be required (not just default) for specified users. Maybe "Safemode required" could be a permission setting on the group policy?

I'm reading this topic and still cannot decide would it be better to have safe mode activated by default.
But for sure would be great that you can chose which user would have safe mode by default.

Like someone said before, driving 400-500km to remote site is hassle, why not to save it?
You have one user which you use for critical things and one which you use for monitoring/small changes.

I think this would be an awesome feature!

I agree. While "require safe-mode" policy in user management can be somewhat hard to implement, I believe another tiny Winbox checkbox

that would simply click the safe mode button for me in the beginning

is really useful and easy implementation of that idea. And if this really will came handy for many users it can grow up in advanced safe-mode policies.

Hi!

Are there any plans to add that option? I think most "enterprise hardware" has the standard behaviour:

- Changes in Config are volatile until you "safe to bootconfig"

I really like that behaviour as a lockout can always made undone by letting someone power-cycle the device.

Safe Mode is a good thing, too, but it should be possible to make it "default".

Regards,

Stril

.. cut..
I personally can settle for the same way safe mode is working now, just with an option in Winbox at the startup saying "launch in safe mode" that would simply click the safe mode button for me in the beginning. If somebody else is editing in safe mode - I will get an error message, which will at least give me a reminder (plus I would prefer to know that somebody is changing settings along side with me anyways). To save the changes I would need to click "safe mode" button (better if orange flashing) - that's similar to clicking "apply" or "save configuration" in other GUIs, which is something everyone is used to.
..cut..

+1 .. probably easy to implement and a good start

i think mikrotik should make a limiting feature. For example user A login there are some mikrotik features that are forced hidden like mangle's page, routing's page etc