Managing RouterOS Login – Users and Groups

When you take a MikroTik router out of the box, it comes with a default account having a username as “admin” and no password.

If you wish to add new users, this is possible on the RouterOS. Also, you can give privileges to those created users. For example, you can say that John who is your junior engineer will have a limited access to the router. That’s possible to be done using the groups.

In the upcoming LAB, I am going to show you how you can play with the users and groups on the MikroTik RouterOS.

LAB: RouterOS Users and Groups

Again, we are still on the same LAB scenario. Let’s check what users we have on R1:

We only have 1 user admin which is the default one.

Let’s try to delete that default user, is it possible?

[mepr-show rules=”319″ unauth=”message”]

It says clearly that it is not possible to delete because on the router you should have at least one user with full access permissions, otherwise how can you access the router? Got it?

Let’s do a trick. I will create a new user and give it full access permissions, then will try to see if I can delete the admin user.

Let’s create the new user. I will give it a username of Maher and password 123456:

The user has been created. I have given it the group as full, which means that it has a full permission (will speak about groups in a moment).

As I have 2 users with full permissions, let me try to delete the admin user now and see if it is possible:

And the result is:

Excellent!!! The default admin user has been deleted successfully because I have another user having the full privilege.

Now, let’s check what groups we have by default:

We have 3 different groups by default:

  • Read: just for read-only access
  • Write: can do most settings (no permission to Dude and FTP)
  • Full: have full access to all settings on the router

Let’s open the full group which was assigned to the username Maher and see what it contains:

You can see, everything is checked that means users which belong to this group can do everything on the router.

Let’s assume that you have a junior engineer that you want to give him limited access to the router. The access that you which to give him are:

  • Winbox
  • Read
  • Test

The name of this Junior engineer is John. We need to create for him an account with those limited accesses.

First, we need to create a group and assign those listed permissions to that group. Let’s do it:

So, this group has been created. Now I need to create an account with username John and assign him to this created group. Let’s do it:

I have created a user John, selected the group Junior and I put a password of 123456.

I will logout from Winbox and login using John account.

I am connected now as John to the MikroTik router via Winbox. I could connect via Winbox because this privilege is assigned to the group of John.

Let’s check if I can change the router IP address:

You can see clearly that I cannot add/delete/edit/disable the IP addresses. Why? Because John does not have this permission assigned to the group that he belongs to. Got it?

What if I try to make ping to do you think it would work? Remember, I have assigned the test permission on the Junior group, that means logically it should work. Let’s try:

Yes, it is working. That’s awesome.

This is all what I wanted to show in this LAB.



Submit a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.

Please Login to Reply or add a comment!