I do not consider myself as beginner but this particular question is so simple that I believe it belongs here.
I tried to set up user which could do only testing functions (ping, traceroute etc..), nothing else: As you can see, I allowed the user to log in via winbox/ssh and I allowed running "test" commands which is described as:

test - policy that grants rights to run ping, traceroute, bandwidth-test, wireless scan, sniffer, snooper and other test commands

However, my experiment shows that user can't run anything, not even simple "ping" unless the "read" permission is given as well. I wanted to avoid that because I do not want the user to see all configuration...

As my experience somehow contradicts, what is written in manual, I am wondering if there is any "beginners" mistake which I did?

Hey

I don't think "it's just you". Same experience here: the policy grouping / consistency / effectiveness needs to be looked at by Mikrotik.