Change command privilege Level

Unanswered Question
Aug 2nd, 2007
User Badges:

How do you change the privilege level of the "show running-configuration" from privilege 15 to privilege 5 on Cisco 12.x IOS router and swithes.



I want to create a read -only user account but I want the user to be able to view the device running configuration.


I tried using the privilege command but the show option was not available.





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
spremkumar Thu, 08/02/2007 - 21:06
User Badges:
  • Red, 2250 points or more

hi


I dont think you can bring show run which is a privilege level 15 command to other privilege level,better try out with show conf or show start...


regds


mohammedmahmoud Thu, 08/02/2007 - 23:34
User Badges:
  • Green, 3000 points or more

Hi,


When access to the router is configured by privilege levels, a common issue is that the show running is configured at or below the user's privilege level. When the user executes the command, the configuration appears to be blank. This is actually by design due to that this command displays all of the commands that the current user is able to modify (in other words, all the commands at or below the user's current privilege level). The command should not display commands above the user's current privilege level because of security considerations. If so, commands such as snmp-server community could be used to modify the current configuration of the router and gain complete access to the router.


For example, if a certain privilege level is given the privilege to configure under the interface, and do show run, when a user do show run with this level, he will get only the interface configurations:


privilege configure all level 5 interface

privilege exec all level 5 show running-config



Router#sh run

Building configuration...


Current configuration : 1055 bytes

!

boot-start-marker

boot-end-marker

!

!

!

!

!

interface Loopback0

ip address 10.10.10.2 255.255.255.255


!

interface Serial1/1

no ip address

shutdown


!

end

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml



HTH,

Mohammed Mahmoud.

Actions

This Discussion