...
User management
add
Create a new item
...
Summary
MikroTik RouterOS router user facility manages the users connecting the router from any of the Management tools. The users are authenticated using either a local database or a designated RADIUS server. Each user is assigned to a user group, which denotes the rights of this user. A group policy is a combination of individual policy items.
In case the user authentication is performed using RADIUS, the RADIUS client should be previously configured.
User Settings
The settings submenu allows to control the password complexity requirements of the router users.
Property | Description |
---|
minimum-password-length (integer; 0..4294967295; Default: ) | Specifies the minimum character length of the user password |
minimum-categories (integer; 0..4; Default: ) | Specifies the complexity requirements of the password, with categories being uppercase, lowercase, digit, symbol.
|
User Groups
The router user groups provide a convenient way to assign different permissions and access rights to different user classes.
Properties
Property | Description |
---|
name (string; Default: ) | The name of the user group |
policy (local | telnet | ssh | ftp | reboot | read | write | policy | test | winbox | password | web | sniff | sensitive | api | romon | dude | tikapp; Default: none) | List of allowed policies:
Login policies: - local - policy that grants rights to log in locally via console
- telnet - policy that grants rights to log in remotely via telnet
- ssh - policy that grants rights to log in remotely via secure shell protocol
- web - policy that grants rights to log in remotely via WebFig.
- winbox - policy that grants rights to log in remotely via WinBox and bandwidth test authentication
- password - policy that grants rights to change the password
- api - grants rights to access router via API.
- rest-api - grants rights to access the router via REST API.
- ftp - policy that grants full rights to log in remotely via FTP. Allows to read/write/erase files and to transfer files from/to the router. Should be used together with read/write policies.
- romon - policy that grants rights to connect to the RoMon server.
Config Policies: - reboot - policy that allows rebooting the router
- read - policy that grants read access to the router's configuration. All console commands that do not alter the router's configuration are allowed. Doesn't affect FTP
- write - policy that grants write access to the router's configuration, except for user management. This policy does not allow to read the configuration, so make sure to enable read policy as well
- policy - policy that grants user management rights. Should be used together with the write policy. Allows also to see global variables created by other users (requires also 'test' policy).
- test - policy that grants rights to run ping, traceroute, bandwidth-test, wireless scan, snooper, fetch, email and other test commands
- sensitive - grants rights to change "hide sensitive" option, if this policy is disabled sensitive information is not displayed.
- sniff - policy that grants rights to use packet sniffer tool.
|
skin (name; Default: default) | Used skin for WebFig |
Default groups
There are three default system groups which cannot be deleted:
Code Block |
---|
|
[admin@MikroTik] > /user group print
0 name="read" policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,!ftp,!write,!policy,!dude skin=default
1 name="write" policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,!ftp,!policy,!dude skin=default
2 name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,!dude skin=default |
Please note, that even the "read" group includes sensitive, reboot, and other important policies, meaning that this group should not be given to untrusted users. For truly limited groups, make a custom group, defining specific policies. All groups have access to file operations. Exclamation sign '!' just before the policy item name means NOT.
Router Users
The router user database stores information such as username, password, allowed access addresses, and group about router management personnel.
Properties
Property | Description |
---|
address (IP/mask | IPv6 prefix; Default: ) | Host or network address from which the user is allowed to log in |
group (string; Default: ) | Name of the group the user belongs to |
name (string; Default: ) | User name. Although it must start with an alphanumeric character, it may contain "*", "_", ".", and "@" symbols. |
password (string; Default: ) | User password. If not specified, it is left blank (hit [Enter] when logging in). It conforms to standard Unix characteristics of passwords and may contain letters, digits, "*" and "_" symbols. |
last-logged-in (time and date; Default: "") | Read-only field. Last time and date when a user logged in. |
Notes
There is one predefined user with full access rights:
Code Block |
---|
|
[admin@MikroTik] user> print
Flags: X - disabled
# NAME GROUP ADDRESS LAST-LOGGED-IN
0 ;;; system default user
admin full 0.0.0.0/0 dec/08/2010 16:19:24
|
There always should be at least one user with full access rights. If the user with full access rights is the only one, it cannot be removed.
Monitoring Active Users
Code Block |
---|
|
/user active print |
The command shows the currently active users along with respective statistics information.
Properties
All properties are read-only.
Property | Description |
---|
address (IP/IPv6 address) | Host IP/IPv6 address from which the user is accessing the router. 0.0.0.0 means that the user is logged in locally |
group (string) | A group that the user belongs to. |
name (string) | User name. |
radius (true | false) | Whether a user is authenticated by the RADIUS server. |
via (local | telnet | ssh |winbox | api | web | tikapp | ftp | dude) | User's access method |
when (time) | Time and date when the user logged in. |
Remote AAA
Router user remote AAA enables router user authentication and accounting via a RADIUS server. The RADIUS user database is consulted only if the required username is not found in the local user database.
Properties
Property | Description |
---|
accounting (yes | no; Default: yes) |
|
exclude-groups (list of group names; Default: ) | Exclude-groups consist of the groups that should not be allowed to be used for users authenticated by radius. If the radius server provides a group specified in this list, the default-group will be used instead. This is to protect against privilege escalation when one user (without policy permission) can change the radius server list, set up its own radius server and log in as admin. |
default-group (string; Default: read) | User group used by default for users authenticated via a RADIUS server. |
interim-update (time; Default: 0s) | Interim-Update time interval |
use-radius (yes |no; Default: no) | Enable user authentication via RADIUS |
Info |
---|
If you are using RADIUS, you need to have CHAP support enabled in the RADIUS server for WinBox to work |
SSH Keys
This menu allows importing of private and public keys used for SSH authentication.
Warning |
---|
By default, User is not allowed to log in via SSH by password if an SSH key for the user is added. For more details see the SSH page. |
Public keys
This menu is used to import and list imported public keys. Public keys are used to approve another device's identity when logging into a router using an SSH key.
On public key import, is it possible to specify key-owner.
Info |
---|
RSA and Ed25519 keys are supported in PEM, PKCS#8, or OpenSSH format. |
Property | Description |
---|
user (string; Default: ) | username to which the SSH key is assigned. |
key-owner (string) | SSH key owner |
public-key-file (string) | file name in the router's root directory containing the public key. |
Private keys
This menu is used to import and list imported private keys. Private keys are used to approve the router's identity during login into another device using an SSH key.
On private key import, is it possible to specify key-owner.
Info |
---|
RSA keys are supported in PEM or PKCS#8 format. |
Property | Description |
---|
user (string; Default: ) | username to which the SSH key is assigned. |
key-owner (string) | SSH key owner |
private-key-file (string) | file name in the router's root directory containing the private key. |
passphrase (string) | key file passphrase |
...
Type: obj_arg
+arg: {'producer': 'alt_arg', 'sub': [{'key': '#arg', 'value': {'producer': '', 'sub': [{'key': 'address', 'value': {'producer': 'ip_prefix_arg', 'sub': [{'key': 'acc1', 'value': {'producer': '"be u1"', 'sub': []}}, {'key': 'acc2', 'value': {'producer': '"be u2"', 'sub': []}}]}}]}}]}
...
Network address part of addresses user is allowed to use
...
Type: string
noprint: True
...
Short description of the item
Adds short description to one or several specified items.
...
ID of item to make a copy from
...
Defines whether item is ignored or used
...
Group management
Manage user groups. Set up groups for accessing separate services and rebooting router.
...
Type: string
...
User name
...
Type: string
...
User password
Set comment for items
...
Type: string
noprint: True
...
Short description of the item
Adds short description to one or several specified items.
...
List of item numbers
disable
Disable items
...
List of item numbers
edit
Edit items
...
Item number
...
enum [address | comment | group | name | password]
...
Name of editable property
Enum parameters:- address - Network address part of addresses user is allowed to use
enable
Enable items
...
List of item numbers
export
Print or save an export script that can be used to restore configuration
...
Type: switch
value: True
...
Only exports user-changed settings without defaults
...
Type: string
...
File name
Name of the file that will be stored in FTP access area.
...
Type: switch
value: True
...
Hides sensitive information like passwords from beeing printed
...
Type: switch
value: True
...
Creates export with output without line wraps
...
Type: switch
value: True
...
Creates output with all RouterOS settings (including the default ones)
find
Find items by value
...
Type: query_arg
query: True
...
Generates output depending on values supplied (used mainly for scripting)
get
Gets value of item's property
...
Item number
...
enum [address | comment | disabled | group | last-logged-in | name | password]
...
Name of the value you want to get
Enum parameters:- address - Network address part of addresses user is allowed to use
print
Print values of item properties
...
Type: switch
value: True
...
Controls if print to file overwrites or appends to content of an existing file
...
Type: switch
interesting: False
value: True
...
Prints out output as value (used in scripting)
...
Type: switch
value: True
...
Displays brief description
...
Type: switch
value: True
...
Shows only the count of special login users
...
Type: switch
sysc: 3
value: True
...
Type: switch
value: True
...
Displays detailed information
...
Type: string
...
Print the content of the submenu into specific file
...
Type: switch
value: True
...
Updates output in real-time
...
Type: switch
value: True
...
Will output changes that have occured after invoking command
...
Type: switch
value: True
...
Print parameters only from specified item
...
Displays information and refreshes it in selected time interval
...
Type: obj_arg
+arg: {'producer': 'enum_arg', 'sub': [{'key': '#mapping', 'value': {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'const_mapping', 'sub': [{'key': 'data', 'value': {'producer': '', 'sub': [{'key': 'address', 'value': 3}, {'key': 'comment', 'value': 14}, {'key': 'disabled', 'value': 13}, {'key': 'group', 'value': 1}, {'key': 'last-logged-in', 'value': 4}, {'key': 'name', 'value': 0}, {'key': 'password', 'value': 2}]}}, {'key': 'help', 'value': {'producer': '', 'sub': [{'key': 0, 'value': 'User name'}, {'key': 1, 'value': 'Group management'}, {'key': 2, 'value': 'User password'}, {'key': 3, 'value': 'Network address part of addresses user is allowed to use'}, {'key': 13, 'value': 'Defines whether item is ignored or used'}, {'key': 14, 'value': 'Short description of the item'}]}}]}}]}}, {'key': 'acc', 'value': {'producer': '"ufd0007"', 'sub': []}}, {'key': 'hint', 'value': 'Name of the value you want to get'}, {'key': 'setUnsetAcc', 'value': {'producer': '"bfd0008"', 'sub': []}}]}
...
Names of properties
...
Type: switch
value: True
...
Prints static IDs for selected submenu (Requires: Option.npk)
...
Type: switch
interesting: False
value: True
...
Show details in compact and machine friendly format
...
Type: switch
interesting: False
value: True
...
Show properties one per line
...
Type: query_arg
query: True
...
Generates output depending on values supplied (used mainly for scripting)
...
Type: switch
value: True
...
Displays information in one piece
remove
Remove item
...
List of item numbers
set
Change item properties
...
Type: obj_arg
+arg: {'producer': 'alt_arg', 'sub': [{'key': '#arg', 'value': {'producer': '', 'sub': [{'key': 'address', 'value': {'producer': 'ip_prefix_arg', 'sub': [{'key': 'acc1', 'value': {'producer': '"be u1"', 'sub': []}}, {'key': 'acc2', 'value': {'producer': '"be u2"', 'sub': []}}]}}]}}]}
...
Network address part of addresses user is allowed to use
...
Type: string
noprint: True
...
Short description of the item
Adds short description to one or several specified items.
...
Defines whether item is ignored or used
...
Group management
Manage user groups. Set up groups for accessing separate services and rebooting router.
...
Type: string
...
User name
...
List of item numbers
...
Type: string
...
User password
/user/aaa
Authentication Authorization and Accounting
edit
Edit items
...
enum [accounting | default-group | exclude-groups | interim-update | use-radius]
...
Name of editable property
export
Print or save an export script that can be used to restore configuration
...
Type: switch
value: True
...
Only exports user-changed settings without defaults
...
Type: string
...
File name
Name of the file that will be stored in FTP access area.
...
Type: switch
value: True
...
Hides sensitive information like passwords from beeing printed
...
Type: switch
value: True
...
Creates export with output without line wraps
...
Type: switch
value: True
...
Creates output with all RouterOS settings (including the default ones)
get
Gets value of item's property
...
enum [accounting | default-group | exclude-groups | interim-update | use-radius]
...
Name of the value you want to get
print
Print values of item properties
...
Type: switch
value: True
...
Prints out output as value (used in scripting)
...
Type: switch
sysc: 3
value: True
...
Type: string
...
Print the content of the submenu into specific file
...
Displays information and refreshes it in selected time interval
...
Type: switch
value: True
...
Displays information in one piece
set
Change item properties
...
Status of aaa (yes/no)
...
Set type of the default group
...
Type: multi_arg
+arg: {'producer': 'enum_arg', 'sub': [{'key': '#mapping', 'value': {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'remote_mapping', 'sub': [{'key': 'path', 'value': '{13,2}'}]}}]}}, {'key': 'acc', 'value': {'producer': '"u0"', 'sub': []}}]}
switchIds: {4294967295}
...
List of groups to exclude
...
Defines time interval between communications with the router
...
Use or not radius
/user/active
Active users
find
Find items by value
...
Type: query_arg
query: True
...
Generates output depending on values supplied (used mainly for scripting)
get
Gets value of item's property
...
Item number
...
enum [address | by-romon | group | name | radius | via | when]
...
Name of the value you want to get
print
Print values of item properties
...
Type: switch
value: True
...
Controls if print to file overwrites or appends to content of an existing file
...
Type: switch
interesting: False
value: True
...
Prints out output as value (used in scripting)
...
Type: switch
value: True
...
Displays brief description
...
Type: switch
value: True
...
Shows only the count of special login users
...
Type: switch
sysc: 3
value: True
...
Type: switch
value: True
...
Displays detailed information
...
Type: string
...
Print the content of the submenu into specific file
...
Type: switch
value: True
...
Updates output in real-time
...
Type: switch
value: True
...
Will output changes that have occured after invoking command
...
Type: switch
value: True
...
Print parameters only from specified item
...
Displays information and refreshes it in selected time interval
...
Type: obj_arg
+arg: {'producer': 'enum_arg', 'sub': [{'key': '#mapping', 'value': {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'const_mapping', 'sub': [{'key': 'data', 'value': {'producer': '', 'sub': [{'key': 'address', 'value': 2}, {'key': 'by-romon', 'value': 3}, {'key': 'group', 'value': 5}, {'key': 'name', 'value': 1}, {'key': 'radius', 'value': 14}, {'key': 'via', 'value': 4}, {'key': 'when', 'value': 0}]}}]}}]}}, {'key': 'acc', 'value': {'producer': '"ufd0007"', 'sub': []}}, {'key': 'hint', 'value': 'Name of the value you want to get'}, {'key': 'setUnsetAcc', 'value': {'producer': '"bfd0008"', 'sub': []}}]}
...
Names of properties
...
Type: switch
value: True
...
Prints static IDs for selected submenu
...
Type: switch
interesting: False
value: True
...
Show details in compact and machine friendly format
...
Type: switch
interesting: False
value: True
...
Show properties one per line
...
Type: query_arg
query: True
...
Generates output depending on values supplied (used mainly for scripting)
...
Type: switch
value: True
...
Displays information in one piece
/user/group
Group management
add
Create a new item
...
Type: string
noprint: True
...
Short description of the item
Adds short description to one or several specified items.
...
ID of item to make a copy from
...
Type: string
...
New group name
...
Type: multi_arg
+arg: {'producer': 'super_arg', 'sub': [{'key': '#sub', 'value': {'producer': '', 'sub': [{'key': 1, 'value': {'producer': '', 'sub': [{'key': 'acc_present', 'value': {'producer': '"b2709"', 'sub': []}}, {'key': 'chars', 'value': {'producer': '\x06?', 'sub': []}}, {'key': 'optional', 'value': True}, {'key': 'prefix', 'value': '!'}]}}, {'key': 2, 'value': {'producer': '', 'sub': [{'key': '+arg', 'value': {'producer': 'enum_arg', 'sub': [{'key': '#mapping', 'value': {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'remote_mapping', 'sub': [{'key': 'path', 'value': '{13,3}'}]}}]}}, {'key': 'acc', 'value': {'producer': '"u0"', 'sub': []}}]}}, {'key': 'chars', 'value': {'producer': '\x06?', 'sub': []}}, {'key': 'name', 'value': 'policy'}]}}]}}]}
switchIds: {4294967295,9993}
...
Group policy
...
Default Webfig skin for group
Set comment for items
...
Type: string
noprint: True
...
Short description of the item
Adds short description to one or several specified items.
...
List of item numbers
edit
Edit items
...
Item number
...
enum [comment | name | policy | skin]
...
Name of editable property
Enum parameters:- comment - Short description of the item
export
Print or save an export script that can be used to restore configuration
...
Type: switch
value: True
...
Only exports user-changed settings without defaults
...
Type: string
...
File name
Name of the file that will be stored in FTP access area.
...
Type: switch
value: True
...
Hides sensitive information like passwords from beeing printed
...
Type: switch
value: True
...
Creates export with output without line wraps
...
Type: switch
value: True
...
Creates output with all RouterOS settings (including the default ones)
find
Find items by value
...
Type: query_arg
query: True
...
Generates output depending on values supplied (used mainly for scripting)
get
Gets value of item's property
...
Item number
...
enum [comment | name | policy | skin]
...
Name of the value you want to get
Enum parameters:- comment - Short description of the item
print
Print values of item properties
...
Type: switch
value: True
...
Controls if print to file overwrites or appends to content of an existing file
...
Type: switch
interesting: False
value: True
...
Prints out output as value (used in scripting)
...
Type: switch
value: True
...
Displays brief description
...
Type: switch
value: True
...
Shows only the count of special login users
...
Type: switch
sysc: 3
value: True
...
Type: switch
value: True
...
Displays detailed information
...
Type: string
...
Print the content of the submenu into specific file
...
Type: switch
value: True
...
Updates output in real-time
...
Type: switch
value: True
...
Will output changes that have occured after invoking command
...
Type: switch
value: True
...
Print parameters only from specified item
...
Displays information and refreshes it in selected time interval
...
Type: obj_arg
+arg: {'producer': 'enum_arg', 'sub': [{'key': '#mapping', 'value': {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'const_mapping', 'sub': [{'key': 'data', 'value': {'producer': '', 'sub': [{'key': 'comment', 'value': 11}, {'key': 'name', 'value': 0}, {'key': 'policy', 'value': 1}, {'key': 'skin', 'value': 2}]}}, {'key': 'help', 'value': {'producer': '', 'sub': [{'key': 0, 'value': 'New group name'}, {'key': 1, 'value': 'Group policy'}, {'key': 2, 'value': 'Default Webfig skin for group'}, {'key': 11, 'value': 'Short description of the item'}]}}]}}]}}, {'key': 'acc', 'value': {'producer': '"ufd0007"', 'sub': []}}, {'key': 'hint', 'value': 'Name of the value you want to get'}, {'key': 'setUnsetAcc', 'value': {'producer': '"bfd0008"', 'sub': []}}]}
...
Names of properties
...
Type: switch
value: True
...
Prints static IDs for selected submenu (Requires: Option.npk)
...
Type: switch
interesting: False
value: True
...
Show details in compact and machine friendly format
...
Type: switch
interesting: False
value: True
...
Show properties one per line
...
Type: query_arg
query: True
...
Generates output depending on values supplied (used mainly for scripting)
...
Type: switch
value: True
...
Displays information in one piece
remove
Remove item
...
List of item numbers
set
Change item properties
Parameter | Type | Description | Additional Notes |
---|
comment | Type: string noprint: True | Short description of the item Adds short description to one or several specified items. | name | Type: string | New group name | numbers | arg_node | List of item numbers | policy | Type: multi_arg +arg: {'producer': 'super_arg', 'sub': [{'key': '#sub', 'value': {'producer': '', 'sub': [{'key': 1, 'value': {'producer': '', 'sub': [{'key': 'acc_present', 'value': {'producer': '"b2709"', 'sub': []}}, {'key': 'chars', 'value': {'producer': '\x06?', 'sub': []}}, {'key': 'optional', 'value': True}, {'key': 'prefix', 'value': '!'}]}}, {'key': 2, 'value': {'producer': '', 'sub': [{'key': '+arg', 'value': {'producer': 'enum_arg', 'sub': [{'key': '#mapping', 'value': {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'remote_mapping', 'sub': [{'key': 'path', 'value': '{13,3}'}]}}]}}, {'key': 'acc', 'value': {'producer': '"u0"', 'sub': []}}]}}, {'key': 'chars', 'value': {'producer': '\x06?', 'sub': []}}, {'key': 'name', 'value': 'policy'}]}}]}}]} switchIds: {4294967295,9993} | Group policy | skin | Default Webfig skin for group