Community discussions

MikroTik App
 
simogere
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Fri May 24, 2013 11:54 am

Dude policies

Tue Feb 28, 2023 4:37 pm

Hi, I'm seeing that the only way to login with dude client is with "winbox" policy turned on.
This means that a user that can "write" in dude, can also "write" in winbox too.

Is there any way to separate them? I just need a dude user with write permissions but that cannot login and "write" with winbox.

My dude_write group has: write, test, read, dude, ftp, winbox

Thanks in advance.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Dude policies

Tue Feb 28, 2023 5:14 pm

Not really AFAIK.

See the Dude it's really an extension of RouterOS (e.g. the server is a package on the router & Dude uses same winbox protocol between client and server).

Now the Dude DOES use its own database, but that isn't separate policy – it's "winbox" + the singular "read" or "write" (as you found out). So totally a fair request (e.g. you have a NOC where who you want managing the alarms, but nothing else). But policy aren't very rich, even in core RouterOS either.

Then again... you might want this "junior admin" (or NOC operator) to move a Device from Dude map to another too (which is stored in the dude's db) – but even "admin" cannot do move Device's map – that the missing feature that bites me all the time.
 
simogere
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Fri May 24, 2013 11:54 am

Re: Dude policies

Tue Feb 28, 2023 5:39 pm

I cannot clearly understand what do you mean, be patient.

I'm trying to log in my routerbord with winbox with a "dude_write" group user (ftp, read, write, test, winbox, dude) and I haven't a fully permission but for example I can change IP, firewall.

And without "winbox" policy, a "dude_write" group user cannot login with Dude client.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Dude policies

Tue Feb 28, 2023 6:32 pm

It's confusing since RouterOS "policy" can refer to both "access to protocols" and "access to configuration". And has limited policy controls for configuration.

And without "winbox" policy, a "dude_write" group user cannot login with Dude client.

Since the Dude using winbox protocol, you NEED to have winbox in the policy for the Dude to work. No workaround for that.

And "write" allows access to everything, expect those that have explicit policy. But both /ip/address and anything in the Dude are both covered by "write". And without "write" in policy, you cannot write to the dude.

Just how it works. This is a feature request AFAIK.
 
simogere
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Fri May 24, 2013 11:54 am

Re: Dude policies

Wed Mar 01, 2023 1:20 am

Ok, clear now! Thanks

Who is online

Users browsing this forum: No registered users and 16 guests