06-30-2009 11:02 AM - last edited on 03-25-2019 05:26 PM by ciscomoderator
I'd like to give some of my users the ability to see the running config (show run) but at the same time restrict them from doing any config changes. I'd thought I might set their privilege level at something more than 1, but less than 15, but I can't find any documentation regarding privilege levels 2-14.
Or am I misunderstanding how the privilege levels are used? For levels 2-14, are they assigned per command, not to a group of users?
06-30-2009 12:58 PM
A show run is difficult because of the other levels involved. Here's a doc that explains it well. Just shout if you need some help setting it up.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
07-01-2009 05:36 AM
My testing of this issue is being hampered by our configuration on the vty lines. When we apply our standard config, we set privilege level 15 on the vty lines:
line vty 0 15
privilege level 15
The problem is that when I create a user at a certain privilege level below that and the user accesses the switch via the vty lines, he is automatically granted level 15. Then, when I remove that command from the vty lines, all users who access via the vty lines are set at regular user level, regardless of the privilege level set on their local user account.
Why is that? Are we configuring the vty lines wrong? How can I configure the vty lines so that they recognize the privilege levels set on the local user accounts?
07-01-2009 05:44 AM
You'll have to use AAA as jgambhir suggested.
07-02-2009 06:04 AM
Collin,
Thanks for the input. So, if I want a user to be able to see the running config (show run) I would configure a local user account at a certain privilege level, then set the "show run" command at the same privilege level, correct? In the Cisco documentation you referenced, this is what they did for user 6.
07-03-2009 04:25 AM
Hi,
Yes right...and if you don't want the user to execute some other show command, you have to change them to a privilege higher than the one from your local user beacuse most show command are in level 1 so will be inherited by every privilege.
Regards
Please rate helpful posts
06-30-2009 02:32 PM
What you are trying to achieve is possible using tacacs server.
Please see this link,
Regards,
~JG
Do rate helpful posts
07-02-2009 04:52 AM
hello,
If we are talking about routers, you have many ways to do it locally on the device:
1. through privilege level
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
2.through "menu view"
3. through " CLI view"
07-02-2009 05:17 AM
hello,
If we are talking about routers, you have many ways to do it locally on the device:
1. through privilege level
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
2.through "menu view"
3. through " CLI view"
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: