Hi,

I am aware I can control access to services (web, winbox, api, etc.) and rights (read, write, sensitive, etc.) but how can I control access to features (/ip firewall nat for example)?

Many thanks,
Justin

To my knowledge, such filtering is currently not supported.

You can use the API to make your own GUI tool, or you can use Design Skin mode to modify Webfig to hide unnecessary menus.
This is more cosmetic though, not very secure.

Thank you so much, that works really well!

You mention that its "not very secure". Is this because a user could craft manual HTTP requests and send them to Webfig? If they had another RouterOS to play with, determining these requests would be very easy (Chrome developer tools / Wireshark) I think?

Many thanks again,
Justin.

Guessing the correct menu URL still works. This is just for convenience of the user, not for actually protecting the hidden menu from the user.