Privilege command

Similar Messages

• Privilege command help

  Hi,
  I have a question on the username and privilege levels
  These are the commands
  username jason level5 password Jas0n
  enable secret ***
  privilege mode all level5 show
  Q1. Can we use different enable secret for differnet levels on the same router to give access to different users?
  Q2. When I login to the router enable mode i use the username of Jason and my password, so will that automatically out me level5 mode?
  Thx for the help
  Jason

  Jason, In your example, your Jas0n password will log you right into enable mode. The Enable secret password would be like a back door for someone who logged in with less than enable-level privileges, to be able to get to enable mode with an extra login step.
  Check out this doc and you should get it.
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800ca7cd.html

• Privilege command: the show run does not show the running-config

  Hi,
  Whenever I login using "user1" I can successfully authenticate however when I ussue the show run for user1. The only thing that I can see are the following:
  R4#show run
  Building configuration...
  Current configuration : 13 bytes
  end
  R4#
  I have put the command on the router as follows:
  ~~~~~~~~~~~~~~~~~~~~~
  aaa new-model
  aaa authentication login ACS group tacacs+ local
  aaa authentication login NO-AUTH none
  aaa authorization exec ACS group tacacs+ local
  aaa authorization exec NO-AUTH none
  aaa authorization commands 1 ACS-1 group tacacs+ local
  aaa authorization commands 1 NO-AUTH none
  aaa authorization commands 10 ACS-10 group tacacs+ local
  aaa authorization commands 10 NO-AUTH none
  aaa authorization commands 15 ACS-15 group tacacs+ local
  aaa authorization commands 15 NO-AUTH none
  username user2 privilege 15 password xxx
  username user1 privilege 10 password xxx
  tacacs-server host 10.50.31.6
  tacacs-server directed-request
  tacacs-server key xxx
  privilege exec level 15 show
  privilege exec level 10 show running-config
  line con 0
  exec-timeout 1000 0
  authorization commands 1 NO-AUTH
  authorization commands 10 NO-AUTH
  authorization commands 15 NO-AUTH
  authorization exec NO-AUTH
  login authentication NO-AUTH
  line aux 0
  authorization commands 1 NO-AUTH
  authorization commands 10 NO-AUTH
  authorization commands 15 NO-AUTH
  authorization exec NO-AUTH
  login authentication NO-AUTH
  line vty 0 4
  authorization commands 1 ACS-1
  authorization commands 10 ACS-10
  authorization commands 15 ACS-15
  authorization exec ACS
  login authentication ACS
  end
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Regards,
  Lorenz

  Lorenz
  I believe that the answer is that in implementing privilege levels Cisco designed the show run command so that if you do not have capability to change something that it will not show up in the show run. I believe the logic is that from a security standpoint if you are not authorized to change it you should not be able to see it in the config. So in your case if user1 is not able to change anything then they will not be able to see anything in show run.
  HTH
  Rick

• [SOLVED]Root Privilege Command in Openbox Menu

  This is my first post as a arch user, and I just thought I would start by saying hi!!!
  Anyway, I have recently moved from CrunchBang linux 9.04 to Arch linux.  I have setup an openbox session as my default.  I have gotten everything to work so far except for one thing:
  Lets say you something to the openbox menu, like gparted.  Gparted requires root privilege to run.  Under ubuntu/debian, I would simply use "gksu gparted" as the command because that would prompt me for the password and then run the program.  I am not aware of any way to do such a thing in arch linux.  Is there a simple way to do this?
  -thanks
  Last edited by Dr Belka (2010-04-04 17:54:48)

  You're in Arch country now, boy. You want fancy gksu, you pacMAN up and install it.
  Also note gksu comes with gksudo so you can use your password rather than roots - assuming you're in the sudoers file.
  Last edited by Mardoct (2010-04-04 17:53:15)

• Router privilege command syntax

  Have a local username and pw setup. then set up priv exec level 0 sh running-config.
  But we only get like 10 lines of sh run when logging in as this user.
  Tried to go to level 8 and got the same small number of sh run lines. Any ideas what we're doing wrong.?

  See in line,
  One more question-so the level of cmd's you are able to access is entirely dependent on who you sign in as and what level (or what cmd's)is/are assigned to that user?
  ---->Yes, that depends on the priv level of user and the commnds
  Also, I need to verify for my cust that the question above is correct and applies irregardless of which line you come in on?
  ---> Line does not matter here. No matter where even user comes from , priv lvl take effect.
  Is there any additional granularity you can assign to the VTY's or Con (other than ACL and access-class)?
  --->I dont think so.
  Regards,
  ~`JG
  Do rate helpful posts

• Enable aaa accounting commands for all privilege levels?

  Here is the command's syntax:
  aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [broadcast] group groupname
  The "command" accounting type must include the privilege level of the commands you are logging. How do I log ALL commands?
  Take the following example:
  aaa accounting commands 15 default start-stop group mygroup
  If I issue this command will that mean commands the user executes that have a privilege level lower than 15 will not be logged? Or only commands that require exactly privilege level 15 will be logged?
  How can I log all commands regardless of privilege level?

  Hi Red,
  If you customize the command privilege level using the privilege command, you can limit which commands the appliance accounts for by specifying a minimum privilege level. The security appliance does not account for commands that are below the minimum privilege level.
  The default privilege level is 0. So if you don't specify any privilege level then all should be accounted for.
  You can find the command detail at. This is for ASA though.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/a1.html#wp1535253
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Privilege level - tuning the commands

  This example allows users with level 10 privileges to configure an interface ip address...
  privilege exec level 10 configure terminal
  privilege configure level 10 interface
  privilege interface level 10 ip address
  My question is how to configure users in level 10 to ping ONLY ONE ip address..
  eg
  privilege exec level 10 ping 192.168.11.10
  But it seems that I can ping anyway?
  Router2#sh run | be privilege
  privilege interface level 10 ip address
  privilege interface level 10 ip
  privilege configure level 10 interface
  privilege configure level 10 hostname
  privilege exec level 10 ping !!!!!!!!!!!!!!!!
  privilege exec level 10 configure terminal
  privilege exec level 10 configure
  privilege exec level 10 no
  When I telnet into Router2 with the level 10 password I automatically get to the privileged mode
  and I have the following exec commands...
  Router2>en 10
  Password:
  Router2#?
  Exec commands:
  <1-99> Session number to resume
  access-enable Create a temporary Access-List entry
  access-profile Apply user-profile to interface
  clear Reset functions
  configure Enter configuration mode
  connect Open a terminal connection
  disable Turn off privileged commands
  disconnect Disconnect an existing network connection
  enable Turn on privileged commands
  exit Exit from the EXEC
  help Description of the interactive help system
  lock Lock the terminal
  login Log in as a particular user
  logout Exit from the EXEC
  modemui Start a modem-like user interface
  mrinfo Request neighbor and version information from a multicast
  router
  mstat Show statistics after multiple multicast traceroutes
  mtrace Trace reverse multicast path from destination to source
  name-connection Name an existing network connection
  no Disable debugging functions
  pad Open a X.29 PAD connection
  ping Send echo messages
  ppp Start IETF Point-to-Point Protocol (PPP)
  resume Resume an active network connection
  rlogin Open an rlogin connection
  show Show running system information
  slip Start Serial-line IP (SLIP)
  systat Display information about terminal lines
  tclquit Quit Tool Command Language shell
  telnet Open a telnet connection
  terminal Set terminal line parameters
  tn3270 Open a tn3270 connection
  traceroute Trace route to destination
  tunnel Open a tunnel connection
  udptn Open an udptn connection
  where List active connections
  x28 Become an X.28 PAD
  x3 Set X.3 parameters on PAD
  How can I select only the commands I really want from this list??
  ie how can I allow only one specific ping command?
  Thanks !

  Privilege levels can be configured on basis of commands allowed to be executed on that privilege level. It is not possible to restrict the execution of commands which are allowed based on its parameters. So you cannot make it to allow a ping to only one specific IP address and block the ping to others. You can use an access list to block ping to other IP addresses, however the access list will be applicable to all the users at any privilege level.

• AIR-LAP1242AG-A-K9 configure command does not seem to exist

  I have an AIR-LAP1242AG-A-K9. Straight out of the box I thought it would have the GUI functional but this is not the case. I am brand new to Cisco products so it is taking me a while to get use to them and to TelNet but from what I have read in about 6 different manuals none have explained how I can access the configure terminal command when It doesn't show up. I am in privileged mode with access of:
  AP001c.588e.a266#show privilege
  Current privilege level is 15
  Version is 12.3(7)JA1, RELEASE SOFTWARE (fc1). I haven't changed any settings except the ip settings and time and date.
  AP001c.588e.a266# ? gives me
  cd Change current directory
  clear Reset functions
  clock Manage the system clock
  crypto Encryption related commands.
  debug Debugging functions (see also 'undebug')
  delete Delete a file
  dir List files on a filesystem
  disable Turn off privileged commands
  enable Turn on privileged commands
  exit Exit from the EXEC
  fsck Fsck a filesystem
  help Description of the interactive help system
  led LED functions
  lock Lock the terminal
  login Log in as a particular user
  logout Exit from the EXEC
  lwapp lwapp exec commands
  mkdir Create new directory
  more Display the contents of a file
  name-connection Name an existing network connection
  no Disable debugging functions
  ping Send echo messages
  but no configure command
  If I try to use the configure command I get
  AP001c.588e.a266#configure terminal
  ^
  % Invalid input detected at '^' marker
  If it helps any if I use show configuration command:
  startup-config is not present
  If I can't get into global configuration mode I cant enable the GUI, turn on the wireless, or do much of anything else so I need some help.
  Any would be appreciated,
  Matt Brown

  Hi Matt,
  The problem here is that the AP you received is a Lightweight AP which is meant to be used with Wireless Lan Controllers and WCS. The "LAP" portion of the part number shows this Lightweight designation. This can be converted to an Autonomous/stand-alone AP that you desire;
  Here is a conversion method;
  Reverting the Access Point Back to Autonomous Mode
  http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00804fc3dc.html#wp161272
  You can convert an access point from lightweight mode back to autonomous mode by loading a Cisco IOS Release that supports autonomous mode (Cisco IOS release 12.3(7)JA or earlier). If the access point is associated to a controller, you can use the controller to load the Cisco IOS release. If the access point is not associated to a controller, you can load the Cisco IOS release using TFTP.
  Using a TFTP Server to Return to a Previous Release
  Follow these steps to revert from LWAPP mode to autonomous mode by loading a Cisco IOS release using a TFTP server:
  Step 1 The static IP address of the PC on which your TFTP server software runs should be between 10.0.0.2 and 10.0.0.30.
  Step 2 Make sure that the PC contains the access point image file (such as c1200-k9w7-tar.122-15.JA.tar for a 1200 series access point) in the TFTP server folder and that the TFTP server is activated.
  Step 3 Rename the access point image file in the TFTP server folder to c1200-k9w7-tar.default for a 1200 series access point, c1130-k9w7-tar.default for an 1130 series access point, and c1240-k9w7-tar.default for a 1240 series access point.
  Step 4 Connect the PC to the access point using a Category 5 (CAT5) Ethernet cable.
  Step 5 Disconnect power from the access point.
  Step 6 Press and hold MODE while you reconnect power to the access point.
  Step 7 Hold the MODE button until the status LED turns red (approximately 20 to 30 seconds) and then release.
  Step 8 Wait until the access point reboots, as indicated by all LEDs turning green followed by the Status LED blinking green.
  Step 9 After the access point reboots, reconfigure it using the GUI or the CLI.
  From this doc;
  http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00804fc3dc.html#wp161272
  Hope this helps!
  Rob

• No "configure" command in enable mode?

  Got a 1142AG LAP from eBay.
  Connect console cable to it.  Seems to be able to get into priviledge mode.  But there's no "configure" command available.  What can I do?  Thanks!
  AP0017.5a9b.08a4#?
  Exec commands:
    cd               Change current directory
    clear            Reset functions
    clock            Manage the system clock
    crypto           Encryption related commands.
    debug            Debugging functions (see also 'undebug')
    delete           Delete a file
    dir              List files on a filesystem
    disable          Turn off privileged commands
    dot11            IEEE 802.11 commands
    enable           Turn on privileged commands
    exit             Exit from the EXEC
    fsck             Fsck a filesystem
    help             Description of the interactive help system
    led              LED functions
    lock             Lock the terminal
    login            Log in as a particular user
    logout           Exit from the EXEC
    mkdir            Create new directory
    monitor          Monitoring different system events
    more             Display the contents of a file
    name-connection  Name an existing network connection
    no               Disable debugging functions
    ping             Send echo messages
    pwd              Display current working directory
    release          Release a resource
    reload           Halt and perform a cold restart
    rename           Rename a file
    renew            Renew a resource
    rmdir            Remove existing directory
    save             Start to save raise_interrupt_level stack
    send             Send a message to other tty lines
    set              Set system parameter (not config)
    show             Show running system information
    systat           Display information about terminal lines
    terminal         Set terminal line parameters
    test             Test subsystems, memory, and interfaces
    traceroute       Trace route to destination
    undebug          Disable debugging functions (see also 'debug')
    upgrade          Upgrade software
    verify           Verify a file
    where            List active connections
  AP0017.5a9b.08a4#sh ver
  Cisco IOS Software, C1240 Software (C1240-K9W8-M), Version 12.3(7)JX3, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2006 by Cisco Systems, Inc.
  Compiled Tue 28-Feb-06 21:32 by kellythw
  ROM: Bootstrap program is C1240 boot loader
  BOOTLDR: C1240 Boot Loader (C1240-BOOT-M) Version 12.3(7)JA1, RELEASE SOFTWARE (fc1)
  AP0017.5a9b.08a4 uptime is 1 hour, 24 minutes
  System returned to ROM by power-on
  System image file is "flash:/c1240-k9w8-mx.123-7.JX3/c1240-k9w8-mx.123-7.JX3"
  cisco AIR-LAP1242AG-A-K9   (PowerPCElvis) processor (revision A0) with 24566K/8192K bytes of memory.
  Processor board ID FTX1014B0RD
  PowerPCElvis CPU at 266Mhz, revision number 0x0950
  Last reset from power-on
  1 FastEthernet interface
  2 802.11 Radio(s)
  32K bytes of flash-simulated non-volatile configuration memory.
  Base ethernet MAC Address: 00:17:5A:9B:08:A4
  Part Number                          : 73-9925-04
  PCA Assembly Number                  : 800-26579-04
  PCA Revision Number                  : A0
  PCB Serial Number                    : FOC10130VCR
  Top Assembly Part Number             : 800-26804-02
  Top Assembly Serial Number           : FTX1014B0RD
  Top Revision Number                  : B0
  Product/Model Number                 : AIR-LAP1242AG-A-K9 
  Configuration register is 0xF

  The AP has been converted to lightweight:
  C1240-K9W8-M
  The K9W8 is lightweight and K9W7 is autonomous.  You need a WLC for the K9W8.  If you have an autonomous image, you can convert it back:
  Using a TFTP Server to Return to a Previous Release
  http://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapnote.html#wp160918
  https://supportforums.cisco.com/docs/DOC-18268
  http://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapnote.html#wp160918
  http://www.youtube.com/watch?v=QQ_NuxdRhQ4
  https://supportforums.cisco.com/docs/DOC-14960
  Thanks,
  Scott
  *****Help out other by using the rating system and marking answered questions as "Answered"*****

• Privilege Levels on FWs, switches and Routers

  One question - I am bothered with the privilege level settings.
  Is there a default mapping between a priv lvl and teh commands you are allowed to execute or one needs to define that.
  EX: I want somebody to only have the right of executing sh run on a device and nothing more.Can this be done?
  Thx,
  Vlad

  I would start by configuring a privilege level and then use the ? to list all the commands available at that level.
  privilege level 0 - Includes the disable, enable, exit, help, and logout commands.
  privilege level 1 - Normal level on Telnet; includes all user-level commands at the router> prompt.
  privilege level 15 - Includes all enable-level commands at the router# prompt.
  Commands available at a particular level in a particular router can be found by typing a ? at the router prompt. Commands may be moved between privilege levels by using the privilege command, as illustrated in the example. While this example shows local authentication and authorization, the commands work similarly for TACACS+ or RADIUS authentication and exec authorization (more granularity in control of the router may be achieved with implementation of TACACS+ command authorization with a server.)
  Additional details on the users and privilege levels presented in the example:
  User six is able to Telnet in and execute the show run command, but the resulting configuration is virtually blank because this user cannot configure anything (configure terminal is at level 8, not at level 6). The user is not permitted to see usernames and passwords of the other users, or to see Simple Network Management Protocol (SNMP) information.
  User john is able to Telnet in and execute the show run command, but only sees commands that he can configure (the snmp-server community part of the router configuration, since this user is our network management administrator). He can configure snmp-server community because configure terminal is at level 8 (at or below level 9), and snmp-server community is a level 8 command. The user is not permitted to see usernames and passwords of the other users, but he is trusted with the SNMP configuration.
  User inout is able to Telnet in, and, by virtue of being configured for autocommand show running, sees the configuration displayed but is disconnected thereafter.
  User poweruser is able to to Telnet in and execute the show run command. This user is at level 15, and is able to see all commands. All commands are at or below level 15; users at this level can also view and control usernames and passwords.
  HTH

• Missing "config" command in CLI (Cisco 1140 AP)

  Hi All
  I am trying to chang IP configuraton for my Cisco 1140 AP, but in CLI I dont have a "config" command (i used en before to enable administrative mode)
  Bellow are the commands I can see:
  AP7081.0506.d54a#?
  Exec commands:
    cd               Change current directory
    clear            Reset functions
    clock            Manage the system clock
    crypto           Encryption related commands.
    debug            Debugging functions (see also 'undebug')
    delete           Delete a file
    dir              List files on a filesystem
    disable          Turn off privileged commands
    enable           Turn on privileged commands
    exit             Exit from the EXEC
    fsck             Fsck a filesystem
    help             Description of the interactive help system
    led              LED functions
    lock             Lock the terminal
    login            Log in as a particular user
    logout           Exit from the EXEC
    lwapp            lwapp exec commands
    mkdir            Create new directory
    monitor          Monitoring different system events
    more             Display the contents of a file
    name-connection  Name an existing network connection
    no               Disable debugging functions
    ping             Send echo messages
    pwd              Display current working directory
    release          Release a resource
    reload           Halt and perform a cold restart
    rename           Rename a file
    renew            Renew a resource
    rmdir            Remove existing directory
    send             Send a message to other tty lines
    set              Set system parameter (not config)
    show             Show running system information
    systat           Display information about terminal lines
    terminal         Set terminal line parameters
    test             Test subsystems, memory, and interfaces
    traceroute       Trace route to destination
    undebug          Disable debugging functions (see also 'debug')
    upgrade          Upgrade software
    verify           Verify a file
    where            List active connections
  In addition, I am keep getting the following messages:
  *Mar  1 00:38:13.933: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does not have an Ip !!
  *Mar  1 00:38:23.883: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
  I am not sure what I am doing wrong. I try to do a hard reset but it didnt work.
  Any ideas?

  Thanks
  Another queastion:
  I verified that my AP is Lightweight by the part id (AIR-LAP1141N)
  Now, when I browse to Cisco download page, I have 3 options for OS:
  - Autonomous AP IOS Software
  - IOS Boot Images
  - IOS Software
  - Lightweight AP IOS Software
  Which of the above should I use in order to switch the AP to regular mode?
  Does anyone knows what is the difference between IOS software and the Autonomous IOS software?

• Privilege level 15 to ASA cli administrator via Radius

  Hello Friends!
  Is this supported yet on the ASA?  I want to be able to have radius assign privilege levels to firewall cli administrators.
  Upon login, I'd like them to be immediately be placed into "enabled mode" (without needing to know the local enable password).  I believe we can set the maximum privilege level the user can attain.  But for now, I simply want to have everyone go into priv level 15 without having to know the shared enable secret password.  Switching to tacacs isn't an option.
  I remember finding out a while back that this was not possible.  Please tell me this is now possible.  It's almost 2013.

  Thanks Marcin!
  Very interesting.  Now that you mention it, I do remember seeing someone use the login command after they had already logged in.  That's what they must have been doing.  I wonder what the thought process was in developing it this way.
  I suppose a few different ways around this are (since not everyone will know of this odd behavior and I'm not the only one logging in) to configure radius to authenticate users and then either:
  1.  Configure a MOTD banner that says "ATTENTION:  Type the command 'login', followed by your regular credentials AGAIN to be put into enable mode."
  or
  2.  Configure a MOTD banner that says "ATTENTION:  To gain enable mode privileges, type the command 'enable', followed by the password cisco.".
  Horrible idea?  Thoughts?
  // example of the second 'login' command working:
  ssh [email protected]
  [email protected]'s password:
  Warning!
  Warning!
  Type help or '?' for a list of available commands.
  fw1> ?
    clear       Reset functions
    enable      Turn on privileged commands
    exit        Exit from the EXEC
    help        Interactive help for commands
    login       Log in as a particular user
    logout      Exit from the EXEC
    no          Negate a command or set its defaults
    ping        Send echo messages
    quit        Exit from the EXEC
    show        Show running system information
    traceroute  Trace route to destination
  fw1> login
  Username: admin
  Password: *********
  fw1#
  fw1# sh run username
  username admin password encrypted privilege 15

• How to upde userid to uid=0 using command line?

  Hi all,
  I made a new user "sysadmin" by typing at root command line:
  # useradd sysadmin (all default profile values)
  What is the command (line) to update its UID to "0"?
  Thanks you very much in advance.
  Ms KK

  In general, having multiple accounts with the same UID is a bad idea. To have
  multiple "root" accounts is very, very bad idea.
  If you need an ordinary mortal user to be able to execute privileged commands,
  set up the sudo(1) facility. This will let you grant permission with a fine
  level of control about exactly which program or command is being used. As a
  bonus, you will get an audit trail of who did what as whom.
  The great thing about sudo(1) is that you can grant root privilege without
  having to give out root's password.
  Now, assume you make duplicate "root" accounts. You get offered a better job
  and leave. The new sysadmin will need careful briefing before doing anything.
  This will create a major maintainability issue long term.
  If you want another root user for disaster recovery or losing the password,
  there are better alternatives such as:
  -- Reboot the system using rescue mode from the installation disks.
  -- Boot into single-user mode by interrupting the GRUB install sequence and appending "s" to the kernel command line.
  -- Boot into an interactive shell by appending the "init=/bin/bash" clause using the same technique.
  These are some of the known, common, best practice methods of handling this
  situation. A custom solution here could be quite dangerous and hard to maintain
  in the long run.
  Please don't.

• Filtering in Privilege level !!

  Hi all. I am not using AAA. Just using privilege command to move commands between levels. now my question is simple. I want to assign level 2 to my user admin. And he can ONLY run sh interfaces. No other command ( this includes the default set of command coming with privilege level 2) shouldnt be allowed. The user can only run sh interfaces and thats it. Kindly tell me how to do it
  1) without AAA, using privilege commands
  2) with AAA using local authorization.
  Thanks in advance, kindly guide me

  This link should work for both.
  http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_sec_4cli_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1184620
  Hope that helps.

• Local ASA passwords to allow ALL show commands, no config

  Hi there
  Currently have an ASA 5545. What I want to do is allow our support team to perform ALL show commands (up to and including show run) but not enable them to perform ANY configuration changes on the devices (not get into config t). This is to allow them to check ARP tables, routing protocol status, etc
  Can anyone advise the syntax to do this? i don't have access to the ASA at the moment and haven't been able to figure it out in IOS, i'm assuming its not too hard...

  Assuming AAA authentication, define some users with intermediate privilege levels and assign the commands they can run to that level, e.g.
      username readonly password SomeSecret privilege 2
  followed by a tedious number of privilege commands for each of the keywords "show ?" expands to:
  privilege show level 2 mode exec command aaa-server
  privilege show level 2 mode exec command xlate
  Anyone knowing a more consise way would be welcome.
  -- Jim Leinweber, WI State Lab of Hygiene