ASA Read only User

Answered Question
Jan 14th, 2009
User Badges:

Hello Everyone,

Can someon tell me the command for createing a user on an ASA 5500 running 7.2(3) that can only view the config but not make any changes?

Thanks in advance! All replies rated

Correct Answer by JORGE RODRIGUEZ about 8 years 5 months ago

Ok , you must be missing this statement, try with that user after you enter this in asa and let me know.

aaa authorization command LOCAL

Additional reference for aaa authorization command


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
JORGE RODRIGUEZ Wed, 01/14/2009 - 21:15
User Badges:
  • Green, 3000 points or more

You can use privilege level 5, this will allow to enable mode but it will not give config t access, nor clear xlates or any clear commands, it can however issue show and its subcommands including show run , same applies when using asdm.

create user in asa local database

asa(config)#username password priviledge 5

enable AAA to use ASA local user database

asa(config)#aaa authentication telnet console LOCAL

asa> en

Password: *******

asa#config t


ERROR: % Invalid input detected at '^' marker.

ERROR: Command authorization failed

asa#clear xlate

ERROR: % Invalid input detected at '^' marker.

ERROR: Command authorization failed



angel-moon Mon, 01/19/2009 - 15:21
User Badges:

Thanks. I am not sure if access by SSH makes a difference but the user is using SSH and SSH is configured to authenticate to the local database but the user can still get to config t. I am running 7.2 if that makes a difference.

angel-moon Tue, 01/20/2009 - 12:21
User Badges:


yes I do have the above listed statement and have defined the priviledge level as the first post said.


angel-moon Tue, 01/20/2009 - 12:51
User Badges:

That was it. Thanks! Just to make sure, this ASA is also authenticating users for VPN connections by pointing to the domain. This should not impact those users correct?

Thanks so much!!

JORGE RODRIGUEZ Tue, 01/20/2009 - 13:49
User Badges:
  • Green, 3000 points or more

Angel, it should not impact any VPN related authentication , this only pertains to authorization managing the ASA applience.

Glad it is resolved and thank you for rating.


goulin Mon, 09/17/2012 - 21:45
User Badges:


I just stumbled onto this post.  I was wondering if there was a generic command to allow access to all show commands, instead of individually having to specify them:

e.g. at the moment I have a Level 5 user who I want to have access to all show commands, but not configuration mode, and I have to manually specify each command:

privilege show level 5 mode exec command running-config

privilege show level 5 mode exec command log

Is there an equivalent of show * that I can add?



This Discussion