The only thing I can think of is to do command authorization and only allow the users to go under the interfaces that are access ports and not authorize him to do "interface " for the trunk interfaces.
I hope it helps.
PK
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: