Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Moving commands between priv levels !

Hi all, this may seem a bit stupid question but i am confused with the wordings presented on cisco docs and ppl referring here. What is meant by "moving" commands between priv levels ?

For example

username admin priv 7 pass cisco

privilege exec level 7 show running-config

Now what this command does is to allow sh run in priv 7 which is not there by default.. so its copying isnt it ? why we call it moving ? i check by going to priv 15 command and show run was still there !!!. I tried it with some other command lets say configure terminal. This makes it way to priv 7 but it was also present in priv 15. So why we call it "moving" ? pls i am not arguing just want to make sure that i get this straight :-). Is there anything i am missing ?


Re: Moving commands between priv levels !

By default, there are three privilege levels on the router.

privilege level 1 = non-privileged (prompt is router>), the default level for logging in

privilege level 15 = privileged (prompt is router#), the level after going into enable mode

privilege level 0 = seldom used, but includes 5 commands: disable, enable, exit, help, and logout.

You could call it moving or copying, the end goal is to allow users in a lower privilege level to have access to the high level command...


Re: Moving commands between priv levels !

I think the "moving" terminology is confusing, but here is what they must mean:

By default, you should be able to access commands at your level and BELOW.

So you move the "show runnning-config" down to level 7 with the command you issued above.

Now Level 7 and above users may use the command.

The problem with that command is that it references a bunch of other commands "within the output" of show running-config. I bet when you login as level 7 and issue "sh run" that the config will be missing huge chunks of data if not everything.

The easiest way to accomplish the "sh run" command is to have ACS. You would give that user level 15 access and then restrict them to issuing just the "sh run" command.

CreatePlease to create content