I don't seem to find the info on these settings in the manual.
I need to know what, why and when different policies can be, or not, set.

Bad such info can't be found easy in manual. This is basic config that each user should understand and use as first thing....

which settings, please clarify

which settings, please clarify

Well, the question is in my post....
I can make an user and assign him to a group and assign him a password. But all the different options for policies? They are not all that clear to me. In the days of ros 2.x we had a reference manual explaining each and its meaning. Now I can't find any of such info.
Meaning new user (and sometimes more advanced) just need to make good guess?

Some policies are quit cryptic and it is not completely clear what specific user it allows or dis-allows if this policy is checked or not. But maybe am I overlooking the manual somewhere?

http://wiki.mikrotik.com/wiki/Manual:Ro ... Properties

Thnks Fewi, this is what I was looking for.
How does MT expect to find this info under a title "Router AAA"? Even now this title makes no sense to me, let alone newbees....

That's exactly where it should be. AAA means authentication, authorization, and accounting. What permissions a group has that a user belongs to is squarely in the realm of authorization. Authorization means "what is an entity allowed to do after it has authenticated itself to be that entity".

Hello This post help me find the description of user groups. The problem is the definition on manual is different than in the application. I create a user that belong to a group which has winbox and test policy, he can login via winbox but cannot access ping and traceroute from tools. The error was not permitted. Is there any policy that have to be selected beside test and winbox?

It is permitted because you are not allowed to read output from ping command. Add read policy.

It is permitted because you are not allowed to read output from ping command. Add read policy.

thankyou mrz, it worked but i like the implementation on older outdated 3.30, even without read policy still can do pings and traceroute plus an added bonus couldn't read the device configuration. I guess it's "fixed" on newer os release

Hi there. My question maby stupid, but how to create user that can update RoS on device but cannot change policy or full group users password?

Please don't raise 10 year old topics, just make a new one.
Depends on how you will download the packages. To disallow change of policy, their group needs "policy" setting removed.
So you could have a user with FTP, Write, Reboot policies: https://help.mikrotik.com/docs/display/ROS/User

Sorry for rising old one. And thanks for reply.