Using Cisco Privilege Level to provide Read Only Show Run User

See the associated video here.

1. Add the new user and required privilege level to your device in config mode:username cisco priv 3 secret cisco

   This example shows adding a user of ‘cisco’ at privilege level 3 with a password of ‘cisco’.

2. Add the commands you wish the privilege level to have:privilege exec level 3 show run
   privilege exec level 3 show start
   privilege exec level 3 show running-config view
   privilege exec level 3 show running-config view full
   privilege exec level 3 more system:running-config
   privilege exec level 3 show conf
   privilege exec level 3 configure terminal
   privilege configure all level 3 clock

   This example gives them access to the above commands, including config access to change the clock settings.

3. Allow file access for the privilege level:file privilege 3

   Without this, you cannot actually view contents of flash and nvram, the commands run, but provide no useful output.

4. Optional: Apply aaa new model commands.If using no aaa new-model in your config, then the above will work without further changes. Otherwise:

   aaa new-model
   aaa authentication login default local
   aaa authentication enable default enable
   aaa authorization console
   aaa authorization exec default local

   If the additional attributes are not added, it is possible your new user will be elevated to level 15.

Bear in mind that the enable secret will always allow users to move to privileged level 15, so do not provide the enable password to your reduced access users.

Watch the video for clear explanations about each command.