[admin@MikroTik] user> print
Flags: X - disabled
0 ;;; system default user
name="admin" group=full address=0.0.0.0/0
[admin@MikroTik] user>
Use the add command to add a user to the user database:
[admin@MikroTik] user> add
creates new item with specified property values.
address Network address part of addresses user is allowed to use
comment short description of the item
copy-from item number
disabled
group Permissions group for user
name New user name
netmask Netmask part of addresses user is allowed to use
password User password
[admin@MikroTik] user> add name=joe password=j1o2e3 group=write
[admin@MikroTik] user> print
Flags: X - disabled
0 ;;; system default user
name="admin" group=full address=0.0.0.0/0
1 name="joe" group=write address=0.0.0.0/0
[admin@MikroTik] user>
Argument description:
name - User name. Must start with an alphanumeric character and may contain alphanumeric characters, "*", "_", ".", "@".
group - Name of the group the user belongs to. The system default groups are full, write, read. See below on how to manage user groups.
password - User password. If not specified, it is left blank (hit 'Enter' when logging in). It conforms to standard Unix characteristics of passwords. Can contain letters, digits, "*" and "_"
address - Ip address form which the user is allowed to log in.
netmask - Network mask of addresses assigned to the user
List of active users can be viewed using the /user active print command:
[admin@MikroTik] user> active print 0 when=aug/09/2002 21:46:13 name="admin" address=0.0.0.0 via=console 1 when=aug/09/2002 15:54:36 name="admin" address=0.0.0.0 via=web 2 when=aug/09/2002 14:23:44 name="admin" address=10.0.0.250 via=telnet [admin@MikroTik] user>
When the user has logged on he can change his password using the /password command.
The user is required to enter his/her current password before entering the new password.
When the user logs out and logs in for the next time, the new password must be entered.
User Groups
User group management can be accessed under the /user group menu:
[admin@MikroTik] user> group print
0 ;;; users with read only permission
name="read"
policy=local,telnet,ssh,!ftp,reboot,read,!write,!policy,test,web
1 ;;; users with write permission
name="write"
policy=local,telnet,ssh,!ftp,reboot,read,write,!policy,test,web
2 ;;; users with complete access
name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,web
[admin@MikroTik] user>
There are three system groups which cannot be deleted. Use add command to add a user group:
[admin@MikroTik] user group> add name=reboot policy=telnet,reboot,read
[admin@MikroTik] user group> print
0 ;;; users with read only permission
name="read"
policy=local,telnet,ssh,!ftp,reboot,read,!write,!policy,test,web
1 ;;; users with write permission
name="write"
policy=local,telnet,ssh,!ftp,reboot,read,write,!policy,test,web
2 ;;; users with complete access
name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,web
3 name="reboot"
policy=!local,telnet,!ssh,!ftp,reboot,read,!write,!policy,!test,!web
[admin@MikroTik] user group>
Here, the argument name is the name of the group, and policy contains the list of policies assigned to the group:
local - User can log on locally via consoleNote: if there is exclamation sign (!)right before policy name, it means not.
telnet - User can log on remotely via telnet
ssh - User can log on remotely via secure shell
ftp - User can log on remotely via ftp and send and retrieve files from the router
reboot - User can reboot the router
read - User can retrieve the configuration
write - User can retrieve and change the configuration
policy - Manage user policies, add and remove user
test - User can run ping, traceroute, bandwidth test
web - user can log on remotely via http