I’m trying to set up a skin that will let a user log in and run scripts without being able to edit them. I’m running into an issue since it seems that the user needs to have “read” and “write” in order to see and run the script in question (script brings an interface up or down). The problem is that if I give the user write then they can do things like delete the script which is not desirable.
The skin has access to /system script and almost nothing else.
Below is what I tried. Suggestions appreciated.
-jp
[admin@MikroTik] /user group> /user export hide-sensitive
# mar/01/2017 22:43:12 by RouterOS 6.37.1
#
/user group
add comment="Group for using the simple scripts skin" name=simple policy=\
read,write,web,!local,!telnet,!ssh,!ftp,!reboot,!policy,!test,!winbox,!password,!sniff,!sensitive,!api,!romon,!dude skin=scripts
/user
add comment="system default user" group=full name=admin
add comment="reduced priv" group=simple name=simple
...
[admin@MikroTik] /user group> /system script export hide-sensitive
# mar/01/2017 22:47:44 by RouterOS 6.37.1
#
/system script
add name=ssid-one-enable owner=admin policy=read,write source="\
\n/interface wireless enable [/interface wireless find where name=\"wlan-ssid-one\"]\
\n:log info \"Enabled interface wlan-ssid-one\"\
\n"
add name=ssid-one-disable owner=admin policy=read,write source="\
\n/interface wireless disable [/interface wireless find where name=\"wlan-ssid-one\"]\
\n:log info \"Disabled interface wlan-ssid-one\""