Hello,

I use ARP to tie MAC's with Ip addresse's. However this addresses still can be accessible by others, when they configure their computers to use static IP.
How to prevent users to set their Ip static ? Only microtic should be able to give user the address.

Do you mean making a dynamically assigned IP into a static IP?

Select the Lease and in the right hand menu select make static
or right click on the Lease and on the pop up menu select make static.

Hello,

I use ARP to tie MAC's with Ip addresse's. However this addresses still can be accessible by others, when they configure their computers to use static IP.
How to prevent users to set their Ip static ? Only microtic should be able to give user the address.

You can't prevent users from manually configure their devices. You can only try to prevent users from using your network unless IP address is assigned through DHCP server.
This battle involves populating firewall whitelists from the list of active DHCP leases - this can't be done out-of-a-box, you'll have to construct some scripts. Take care also of removals from white lists - this should more or less take care of "IP address hijackers", where user statically configures IP address which is already used by a DHCP client ... both devices will detect IP address conflict, but the DHCP client will likely request another lease thus making DHCP server consider the problematic IP address to be unassigned.

Another possibility would be MAC filtering. But you have to be careful to allow DHCP procedures even for "unknown" clients which should be denied to access your network.

As i thought the things aren't so simple. Windows UAC prevent my users to change their Ip manually, but still there is some possibility to connect private PC via ethernet cable and set IP manually.
My users have definied their IP as static on DHCP server, and noone should impersonate them. Didn't realize it's so problematic.

If client devices have static DHCP leases, then in case of IP address conflict DHCP server will not resolve the situation ... so the issue evolves to a denial-of-service state ... hopefully legitimate user will report it and you'll be able to launch a raid on plaintiff.

Fight against illegitimate devices on a network is an uphill battle. 802.1x is one way of dealing with it.