Hi,
I a searching for a way to allow certain changes in configuration to a routerOs user, who otherwise only has read access to the device.
Scenario is the following:
The router acts as the core-router of a network of an emergency service for a festival, that is separated (VLANs, firewalling, ..) as follows:
- 2 WAN connections for redundancy
- 1 “sensitive net” for the operational control room which is allowed http(s), e-mail and ftp access outbound to the WAN connections, as well as an VPN tunnel, with a high priority on the queuing.
- 1 “leisure” net which is open via LAN and wireless to all helpers who are in “standby”
The team operating the control room should be able to change this “leisure” net settings in three steps:
- allow access to the WAN with a limited priority
- allow access to the WAN, but with an even sharper limit, and restrict to one of the two WANs; additionally activating some more firewall rules for blocking some protocols
- completely forbid access to the WAN
This needs to be possible without “full access” to the router. Also the guys in the operating room are not trained to do any configuration here by hand, so this needs to be easy to do. I imagine a configuration which is depending by some “variables”, and there is a user profile which is only allowed to change these variables and nothing else.
Basically this comes down to the possibility of a user only able to switch between different predefined configurations of the router, not being able to do any other changes.
I think this is something which cannot be done with routerOS on its own. But maybe you have some idea how to do something like this?
Best Regards,
Peter