Augmenting management privilege levels

Each management privilege level provides access to specific areas of the CLI by default:

  • Super User level provides access to all commands and displays.
  • Port Configuration level gives access to:
    • The User EXEC and Privileged EXEC levels
    • The port-specific parts of the CONFIG level
    • All interface configuration levels
  • Read Only level gives access to:
    • The User EXEC and Privileged EXEC levels

You can grant additional access to a privilege level on an individual command basis. To grant the additional access, you specify the privilege level you are enhancing, the CLI level that contains the command, and the individual command.

NOTE
This feature applies only to management privilege levels on the CLI.

Enhance the Port Configuration privilege level so users also can enter IP commands at the global CONFIG level. 

device(config)#privilege configure level 4 ip

In this command, configure specifies that the enhanced access is for a command at the global CONFIG level of the CLI. The level 4 parameter indicates that the enhanced access is for management privilege level 4 (Port Configuration). All users with Port Configuration privileges will have the enhanced access. The ip parameter indicates that the enhanced access is for the IP commands. Users who log in with valid Port Configuration level user names and passwords can enter commands that begin with "ip" at the global CONFIG level.

Syntax: [no] privilege cli-level level privilege-level command-string

The cli-level parameter specifies the CLI level and can be one of the following values:

  • exec - EXEC level; for example, device> or device#
  • configure - CONFIG level; for example, device(config)#
  • interface - Interface level; for example, device(config-if-6)#
  • loopback-interface - loopback interface level
  • virtual-interface - Virtual-interface level; for example, device(config-vif-6)#
  • dot1x - 802.1X configuration level
  • ipv6-access-list - IPv6 access list configuration level
  • rip-router - RIP router level; for example, device(config-rip-router)#
  • ospf-router - OSPF router level; for example, device(config-ospf-router)#
  • dvmrp-router - DVMRP router level; for example, device(config-dvmrp-router)#
  • pim-router - PIM router level; for example, device(config-pim-router)#
  • bgp-router - BGP4 router level; for example, device(config-bgp-router)#
  • vrrp-router - VRRP configuration level
  • gvrp - GVRP configuration level
  • trunk - trunk configuration level
  • port-vlan - Port-based VLAN level; for example, device(config-vlan)#
  • protocol-vlan - Protocol-based VLAN level

The privilege-level indicates the number of the management privilege level you are augmenting. You can specify one of the following:

  • 0 - Super User level (full read-write access)
  • 4 - Port Configuration level
  • 5 - Read Only level

The command -string parameter specifies the command you are allowing users with the specified privilege level to enter. To display a list of the commands at a CLI level, enter "?" at that level's command prompt.

Parent topic: Setting passwords for management privilege levels