I want to restrict some users to "show running-config" command.
I have created a Shell Command Authorization Set with "show" command "permit running-config". Under the TACACS+ setting the Shell (exec) is selected and Privilege level with a value of 5. The SCAS is associated to the username.
Config on a Router:
aaa authentication login vty group tacacs+ local
aaa authentication login console line
aaa authentication enable default group tacacs+ enable
aaa authorization exec vty group tacacs+ local
aaa authorization commands 5 vty group tacacs+
line vty 0 4
exec-timeout 30 0
authorization exec vty
login authentication vty
The user gets the privilege of 5 when logged in but is unable to execute the command show running-config.