Hello Mikrotik. I always wanted to have admins with special write permissions. for example user A, can just add mangle rules and user B, can just manage ppp. user C is responsible for backups and restore and etc. at first I searched too much for applying these in my radius server till I saw this useful article from CISCO:
http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13838-10.html
and now, I think your later releases, Need to support this protocol, or support built-in methods in user creation.
FYI: Same thing should be achievable via Radius auth aswell 
http://www.mikrotik.com/testdocs/ros/2.9/guide/aaa_users.php
http://wiki.mikrotik.com/wiki/Manual:Router_AAA
That’s good. but not enough. still you can’t allow a user reach firewall rules while he can’t change ppp rules. or add routes.