Your requirements are poorly worded.
Who is allowed to access the router?
The only reason to access the router itself is to change or manage the configuration.
So I have an adminaccess input chain rule for this purpose.
Separately I have allow in-interface-list=LAN rule on my input chain to allow DNS remote requests on port 53 udp/tcp.
Other than that there is no requirement for users to access the router.
To access the router there are a few steps.
a. ensure you have an INPUT CHAIN rule that allows access from the subnet, or IP address or list of IPs of those devices and admins that will have the ability to modify the configuration.
b. ensure you to go IP services and ensure winbox is selected, you can put in the same address or subnet
(you may put the whole subnet in the firewall rule but in the winbox rule narrow it to a single IP).
(for example yuou could put your desktop IP and then your laptop IP (and if you plug your laptop into other subnets, and they are set to static IPs, you can add those so no matter what subnet you plug into you can get to winbox).
c. Another place to consider is the WINBOX MAC setting under TOOLS, typically this is a major interface so that the mac address of the winbox can be available across all the subnets.
The winbox service rule and firewall rule then limit who can use the info.
Finally, highly suggest you change the default port for winbox to something NOT 8291!!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)