Do you have access to a  RaDIUS or TACAS+ server? It may be possible to reach your goals with those tools. If I am understanding your question correctly, I do not know of a way. You could look at deploying an ACL to limit what has access in.

Hi Eckzyzxx45,

For the User EXEC mode, you can connect via console or virtual terminal line. 

A username/password requirement can be set for these, by issuing the "line" command from global configuration mode. 

configure terminal 

line console 0

login

password _______                    ....This will require a password to connect via serial/console 

Replicate this command with "line vty 0 15"  instead of "console" to set a password requirement for Telnet or SSH. 

To protect Privileged EXEC mode, you should use the "enable secret" command to provide authentication. 

configure terminal 

enable secret __(password here)____

Once a user is in Privileged EXEC mode, I do not believe it is possible to password protect Global Configuration mode. Perhaps by setting a very low privilege level to exec mode, level 1 for example, it could be possible, though that did not work when I tested it with Packet Tracer. 

Therefore, if you wish to prevent a user from accessing configuration mode, I would only provide that user with a console/vty password to enter user mode, and restrict entering privileged mode

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage. In no even shall the author be liable or accountable, as any posting or comments are strictly based on authors knowledge and or understanding of the question.

By reading your post, it is difficult to determine what commands or rights you want to grant at each level. To accomplish your goal, you need to use aaa new-model commands. The end-state is to set authorization and authentication for certain commands or levels. This normally includes setting specific attributes that are authenticated against TACACS+ or RADIUS. If there are commands you want to set for a specific group you would set that under "aaa" command family (subcommands). 

It is fairly simple to build out a radius server to respond to the command you want to allow or not allow from a specific user. Please see below and let me know if this answers your question:

rt#show run | s aaa|line
aaa new-model
aaa group server radius Radius_Server1
ip radius source-interface GigabitEthernet0/2
aaa authentication username-prompt "User Login:"
aaa authentication login default group radius local enable (primary point of interest)
aaa authentication enable default enable (primary point of interest)
aaa authorization exec default group Radius_Server1 local  (primary point of interest and so others exist)
aaa session-id common
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4

login authentication default (or whatever group you used)
access-class 50 in
access-class 50 out
transport input ssh
transport output ssh
line vty 5 1869

login authentication default (or whatever group you used)
access-class 50 in
access-class 50 out
transport input ssh
transport output ssh
rt#

Keep in mind that the more granular you want to go with this, the more features or capabilities a system must have. Example, if you want to tag traffic known from a specific system... you can use ISE/firewll/etc to do SGT or security group tagging (unrelated to question but an example). If you want authentication, authorization, and maybe accounting you may want to use Microsoft Radius or something along those lines.

Cisco Configuration Guides:

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfathor.html

http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/10384-security.html (similar but this shows or uses PPP commands & Radius)

Again if I understand correctly please let me know. If not please let me know. If more data is needed, just reply and I will try to post a specific example you and a configure on/in dropbox/elephant/onedrive (blog post at http://www.cerbros.net/ (click blog) at request (above disclaimer applies to site post/blogs)).