Hi all,

I've go a need to create a reasonably generic "admin" user with rights to update specific configuration aspects of RouterOS.

To be more precise, I'd like to enable a user to update pretty much everything to do with wireless, including SSID, channels and pretty much everything else, however I don't want him to be able to tamper with the devices as such. Specifically we'll be creating a bridge over two of the three ethernet ports and the wireless interface, and two pppoe connections over the other. We don't want the user to be able to access anything with regards to this bridge and pppoe config, but (s)he needs to be able to configure the IP assigned to br0. We'll also be storing a few scripts on the router which we don't want the admins to tamper with.

From what I can see the access controls we can grant read and/or write privileges on the config as a whole, but we can't seem to deny access to specific configuration areas (or even if it's the other way round, we're willing to grant access to specific bits that makes sense).

Any ideas?

From what I can see the access controls we can grant read and/or write privileges on the config as a whole, but we can't seem to deny access to specific configuration areas (or even if it's the other way round, we're willing to grant access to specific bits that makes sense).

That's pretty much right. There is no very little granularity in access rights. Groups do grant access to certain functions, but you'll find it's trial and error working out what you may or may not need. The chances are that you won't be able to do what you want to do. Except....

Using the metarouter - http://wiki.mikrotik.com/wiki/Metarouter (warning, beta, unpredictable etc.), you could create a base firewall configuration to which the users don't have access and then a virtual firewall to which they do. That way they can set up whatever they want in their own firewall, but within the bounds set by your master firewall.

Not played with metarouter yet, so I can't comment any more than that!

Nick.