Hi,
I try to search for an answer about my question but no luck 
And I hope to find an answer here 
How I can block some websites like (Facebook - Youtube - Twitter…etc) for some users and allow for other users?
I have external storage how to give folder opening authentication for some users and prevent other users to open same Folder?
Regards;
All of the sites you listed use SSL to protect their users’ security.
The only way you can really do what you want is to require your users to configure their browser with the Mikrotik as a web proxy. (not a transparent proxy, but explicitly configure it).
Then you can set access rules in the http proxy settings and block outbound http from the proxy users with a filter rule.
Other way around is:
Assuming you are using the default 192.168.88.1/24 on the router…
Make the DHCP server pool available from 192.168.88.127 - 192.168.88.126254
this will give all devices dynamic ip address of that pool.
Add your firewall rules on this subnet ( 192.168.88.127/25) to be blocked on Facebook and whatever you need.
Then on the dhcp server assign the ones you need to be unblocked as static and provide them an IP address within 192.168.88.2 - 192.168.88.126..
This way you will have all clients configured as dhcp clients, but there will be free for the ones you choose.
Hope i make my self clear.. sorry for my english..
JB.
I have a simple way that actually works well, assuming the users you are blocking isn’t tech savvy.
/ip firewall filter add chain=forward src-address=192.168.0.0/24 content=facebook action=reject reject-with=icmp-admin-prohibited comment=" Drop Facebook"
/ip firewall filter add chain=forward src-address=192.168.0.0/24 content=twitter action=reject reject-with=icmp-admin-prohibited comment=" Drop Twitter"
/ip firewall filter add chain=forward src-address=192.168.0.0/24 content=youtube action=reject reject-with=icmp-admin-prohibited comment=" Drop YouTube"
Instead of a src-address you can replace it with src-address-list.
I don’t think it works when there is embedded content on sites.
I think the best thing to do is to set an untangle box. Its what I would do. Users won’t get suspicious if they don’t see you fiddling on their computers. 
The problem with using content=xxxxxx to block websites is that the sites hemanguib wants to block all use SSL. The content match cannot see inside the encrypted session to catch that text. Of course if the user just types “facebook.com” into their browser, it will block this request, but if the user types https://facebook.com then they’re going to be successfully liking kitten videos shortly thereafter. If their browser’s homepage is set to https://facebook.com or they’re using a bookmark, the chances are pretty good that they’ve bookmarked the ssl version.
Just a quick update, if anyone tries that content block rules(It is flawed like ZeroByte explained)
Today I found that for some reason that backyard way of blocking is affecting port 25 and 587 traffic.
One user kept getting connection interrupted when trying to send a mail, so don’t use that rule unless you want to block the outgoing email as well.
After allowing port 25 and 587 above those rules the emails worked again.
Of course, you could specify port 80 on the content=xxxxxxx rule if you only want it to block the web.
(HIGHLY recommended - because inspecting up to layer 7 on all connections is really going to tax the router)
Can you do a domain (or rather subdomain) based blocking? Or can you only play with IPs?
What if I wanted to allow work.domain.com but block leasure.domain.com?
Using the web proxy, you can block this kind of thing. Using layer7 inspection, it would be much more involved and slow your router to a crawl.
/ip proxy access
add action=deny dst-host=leisure.example.com
add action=accept
Of course you would either need to redirect http to the proxy via dstnat chain in firewall
/ip firewall nat
add chain=dstnat protocol=tcp dst-port=80 action=redirect
… or else simply block http(s) connections in the firewall filters, and force the clients to have a proxy setting in their browser. This way is the only way to filter SSL-enabled websites.