Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Restrict user to exactly two commands, possible?


I want to restrict a user, upon login, to exactly two commands on an IOS router:

1) show users

2) logout

The user must not have access to any other command in the CLI.

But I cannot figure out how to accomplish this.

(config)# username test privilege 0 password test

(config)# privilege exec level 0 show users not only enables the show users subcommand, but also gives access to the whole set of "show" subcommands. How do I allow exactly one subcommand to be available to a user?

If I issue (config)# privilege exec level 1 show afterwards, level 0 user for some reason loses access to the "show users" subcommand.

I've been banging my head against a wall for days. Is what I want to achieve even possible and if it is, how?

  • AAA Identity and NAC
Everyone's tags (1)

Restrict user to exactly two commands, possible?

Using "privileges" in CLI command is the old way to do "command authorization". I'm not sure if you can do what you want by using "privilege"

My recommendation is to use a TACACS server. You can easily do "command authorization" with a TACACS server.

This widget could not be displayed.