Hi Jackal, if you didn't get a response yet, you need to click the user you created and scroll down to the portion called "TACACS+ Enable Control". Click "Define max Privilege on a per Network device group basis". Choose the "Device group" you want to apply the restrictions to and then level you want to apply. Usually a level 1 will get you the show commands but you'll have to be careful. Setting the level too low may not give them Enable rights.