The whole point of the law was to add the ability to tap in, which is what this is. You still need someone to log into the router and setup the account which can do the tap, it can't be remotely activated by spooks.

Though if there are other remote access vulnerabilities, someone may be able to use the feature maliciously once they're in.

Not admin access:

> Calea provided options are available only for specific RouterOS user, as Calea server configuration as "tap" configuration. Specific user should have 'sniff' policy enabled at RouterOS user configuration

So the admin has to set up a user account on the device.

On RouterOS, the default 'admin' user is a member of the 'full' group, which has 'sniff' policy enabled.

So it can be both - dedicated user with the appropriate permission, or admin himself.