I'd like to give some of my users the ability to see the running config (show run) but at the same time restrict them from doing any config changes. I'd thought I might set their privilege level at something more than 1, but less than 15, but I can't find any documentation regarding privilege levels 2-14.
Or am I misunderstanding how the privilege levels are used? For levels 2-14, are they assigned per command, not to a group of users?
My testing of this issue is being hampered by our configuration on the vty lines. When we apply our standard config, we set privilege level 15 on the vty lines:
line vty 0 15
privilege level 15
The problem is that when I create a user at a certain privilege level below that and the user accesses the switch via the vty lines, he is automatically granted level 15. Then, when I remove that command from the vty lines, all users who access via the vty lines are set at regular user level, regardless of the privilege level set on their local user account.
Why is that? Are we configuring the vty lines wrong? How can I configure the vty lines so that they recognize the privilege levels set on the local user accounts?
Thanks for the input. So, if I want a user to be able to see the running config (show run) I would configure a local user account at a certain privilege level, then set the "show run" command at the same privilege level, correct? In the Cisco documentation you referenced, this is what they did for user 6.
Yes right...and if you don't want the user to execute some other show command, you have to change them to a privilege higher than the one from your local user beacuse most show command are in level 1 so will be inherited by every privilege.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :