MikroTik RouterOS Users and Groups

Document revision 13-Jun-2002
This document applies to the MikroTik RouterOS v2.4 and v2.5

Overview

MikroTik RouterOS has a local user database. Permissions and user rights are granted to groups. Users belong to groups and receive all the permissions and user rights assigned to that group.

Contents of the Manual

The following topics are covered in this manual:

User Management

User management can be accessed under the /user menu:

[MikroTik] user> print
Flags: X - disabled
  0   ;;; system default user
      name=admin group=full address=0.0.0.0/0 caller-id="" tx-bit-rate=0
      rx-bit-rate=0 only-one=no max-session-time=0s

[MikroTik] user>

Use the add command to add a user to the user database:

[MikroTik] user> add name=joe group=ppp password=j1o2e3
[MikroTik] user> print
Flags: X - disabled
  0   ;;; system default user
      name=admin group=full address=0.0.0.0/0 caller-id="" tx-bit-rate=0
      rx-bit-rate=0 only-one=no max-session-time=0s

  1   name=joe group=ppp address=0.0.0.0/0 caller-id="" tx-bit-rate=0
      rx-bit-rate=0 only-one=no max-session-time=0s

[MikroTik] user>

Argument description:

name - (required) User name. Must start with an alphanumeric character and contain alphanumeric characters, "*", "_", ".", "@".
group - (required) Name of the group the user belongs to. The system default groups are 'full', 'write', 'read', and 'ppp'. See below on how to manage user groups.
password - User password. If not specified, it is left blank (hit 'Enter' when logging in). It conforms to standard Unix characteristics of passwords. Can contain letters, digits, "*" and "_"
tx-bit-rate - Connection rate limit for PPPoE transfer
rx-bit-rate - Connection rate limit for PPPoE receive
caller-id - For PPTP it IP address of the client, for PPPoE it is MAC address of the client
max-session-time - (Only for PPP connections) Maximum session time user can have when logged in
only-one - (yes / no) (Only for PPP connections) If 'yes' user can have only one session at a time
address - Ip address form which the user is allowed to log in. When logging in using PPP, if the remote address is specified in PPP interface settings then this address should match the specified address in order to enable client to log in. Can be in the form address/mask, where 'mask' is the number of bits in the subnet mask.
netmask - Network mask of addresses assigned to the user

Note! User name "*" will be used for PPP as any user.
List of active users can be viewed using the /user active print command:

[MikroTik] > /user active print
  0 when=mar/26/2002 15:55:44 name=admin address=0.0.0.0 via=console
  1 when=mar/26/2002 15:56:44 name=joe address=0.0.0.0 via=console

[MikroTik] >

When the user has logged on he can change his password using the /password command. The user is required to enter his/her current password before entering the new password. When the user logs out and logs in for the next time, the new password must be entered.

User Groups

User group management can be accessed under the /user group menu:

[MikroTik] user group> print
  0 ;;; ppp users
    name=ppp policy=ppp

  1 ;;; users with read only permission
    name=read policy=local telnet ssh reboot read test web

  2 ;;; users with write permission
    name=write policy=local telnet ssh reboot read write test web

  3 ;;; users with complete access
    name=full policy=local telnet ssh ftp reboot read write policy test web

[MikroTik] user group>

There are four system groups which cannot be deleted. Use add command to add a user group:

[MikroTik] user group> add name=reboot policy="telnet reboot read"
[MikroTik] user group> print
  0 ;;; ppp users
    name=ppp policy=ppp

  1 ;;; users with read only permission
    name=read policy=local telnet ssh reboot read test web

  2 ;;; users with write permission
    name=write policy=local telnet ssh reboot read write test web

  3 ;;; users with complete access
    name=full policy=local telnet ssh ftp reboot read write policy test web

  4 name=reboot policy=telnet reboot read
[MikroTik] user group>

Here, the argument name is the name of the group, and policy contains the list of policies assigned to the group:

local - User can log on locally via console
telnet - User can log on remotely via telnet
ssh - User can log on remotely via secure shell
ftp - User can log on remotely via ftp and send and retrieve files from the router
reboot - User can reboot the router
read - User can retrieve the configuration
write - User can retrieve and change the configuration
policy - Manage user policies, add and remove user
test - User can run ping, traceroute, bandwidth test
web - user can log on remotely via http
ppp - User can log on using ppp connections to the router (PPP, PPTP, PPPoE)


Copyright 1999-2002, MikroTik