Cisco privilege levels

Unanswered Question
Jun 30th, 2009

I'd like to give some of my users the ability to see the running config (show run) but at the same time restrict them from doing any config changes. I'd thought I might set their privilege level at something more than 1, but less than 15, but I can't find any documentation regarding privilege levels 2-14.

Or am I misunderstanding how the privilege levels are used? For levels 2-14, are they assigned per command, not to a group of users?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
pweinhold Wed, 07/01/2009 - 05:36

My testing of this issue is being hampered by our configuration on the vty lines. When we apply our standard config, we set privilege level 15 on the vty lines:

line vty 0 15

privilege level 15

The problem is that when I create a user at a certain privilege level below that and the user accesses the switch via the vty lines, he is automatically granted level 15. Then, when I remove that command from the vty lines, all users who access via the vty lines are set at regular user level, regardless of the privilege level set on their local user account.

Why is that? Are we configuring the vty lines wrong? How can I configure the vty lines so that they recognize the privilege levels set on the local user accounts?

pweinhold Thu, 07/02/2009 - 06:04


Thanks for the input. So, if I want a user to be able to see the running config (show run) I would configure a local user account at a certain privilege level, then set the "show run" command at the same privilege level, correct? In the Cisco documentation you referenced, this is what they did for user 6.

Amadou TOURE Fri, 07/03/2009 - 04:25


Yes right...and if you don't want the user to execute some other show command, you have to change them to a privilege higher than the one from your local user beacuse most show command are in level 1 so will be inherited by every privilege.


Please rate helpful posts


This Discussion