Good morning everyone. I need to create a user with /user group policy=yes but this allows the user to draw the webskin from webfig. I wish this wasn’t possible. how can I do?
the need to flag policy is needed because the limited user must be able to access the global variables. this doesn’t happen. I also tried to change the owner of the script that creates the local variables but to no avail. In the wiki it says that /user group policy allows you to check the global variables of other users too. therefore I take it for granted that if the variables are created by the same limited user at least those owned by him will be seen by webfig without flags on policy
I assume that when you declare the global variable l.user must also be set. if I go to system environment with admin user I see the global variables but the user field is blank
IDK. But agree what’s :global, to what users, is really inconsistent for sure. I’m just not sure what’s “correct” since how globals (and permissions) are handled has been a moving target across past half dozen releases. Underlying the bigger issue that the available policy options do not match what may be needed (i.e. ability to “re-skin” is tied to just write and webfig which is not granular enough here)
IMO, you’re really better off avoiding using :global to pass data between users. Recent builds do have :serialize/:deserialize, so either disk (or ramdisk) might be better way to pass data between users.
Perhaps one day RouterOS will regularize how to have stored and/or “secret” variables (and functions) with some ACLs. But I do not see that soon…
It just be good if Mikrotik’s docs covered what should happen in your case (and permission scopes were better documented too).
Thank you for your answer. the scenario is this. the router is supplied ready to use but by offering a linked service, there is some sensitive data that the user must not be able to access. the router comes configured as working and the variables are automatically populated. but the user can set values via environment. only when you put the variable $SendVariable yes does the magic start. the default setting of the variables is deactivated and those of the customer are acquired. in this case a copy is made using layer 7 as a notepad so that they are restored upon reboot. $SendVariable is set to false after the draft is saved in the L7 firewall. so the magic starts again only if the user sets $SendVariable to true again. I don’t know what serialize and deserialize are, I’ll look into it. If I don’t have an answer I will also contact mikrotik support hoping to solve the puzzle.