To configure a new privilege level for users and associate commands with that privilege level, use the
privilege command in global configuration mode. To reset the privilege level of the specified command or commands to the default and
remove the privilege level configuration from the running configuration file, use the
no form of this command.
Note |
As of Cisco IOS Releases 12.3(6) and 12.3(6)T, the
no form of the
privilege command and the
reset keyword perform the same functions.
|
privilege mode [all] {level level | reset} command-string
no privilege mode [all] {level level | reset} command-string
Syntax Description
mode
|
Configuration mode for the specified command. See the table in the “Usage Guidelines” section for a list of options for this
argument.
|
all
|
(Optional) Changes the privilege level for all the suboptions to the same level.
|
level
level
|
Specifies the privilege level you are configuring for the specified command or commands. The level argument must be a number
from 0 to 15.
|
reset
|
Resets the privilege level of the specified command or commands to the default and removes the privilege level configuration
from the running configuration file.
Note
|
For Cisco IOS software releases earlier than Release 12.3(6) and Release 12.3(6)T, you use the
no form of this command to reset the privilege level to the default. The default form of this command will still appear in the
configuration file. To completely remove a privilege configuration, use the
reset keyword.
|
|
command-string
|
Command associated with the specified privilege level. If the
all keyword is used, specifies the command and subcommands associated with the privilege level.
|
Command Default
User EXEC mode commands are privilege level 1.
Privileged EXEC mode and configuration mode commands are privilege level 15.
Command Modes
Global configuration
Command History
Release
|
Modification
|
10.3
|
This command was introduced.
|
12.0(22)S, 12.2(13)T
|
The
all keyword was added.
|
12.3(6), 12.3(6)T
|
The
no form of the command performs the same function as the
reset keyword.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends
on your feature set, platform, and platform hardware.
|
Usage Guidelines
The password for a privilege level defined using the
privilege global configuration command is configured using the
enable
secret command.
Level 0 can be used to specify a more-limited subset of commands for specific users or lines. For example, you can allow
user “guest” to use only the
show
users and
exit commands.
Note |
There are five commands associated with privilege level 0:
disable ,
enable ,
exit ,
help , and
logout . If you configure AAA authorization for a privilege level greater than 0, these five commands will not be included.
|
When you set the privilege level for a command with multiple words, note that the commands starting with the first word will
also have the specified access level. For example, if you set the
show
ip
route command to level 15, the
show commands and
show
ip commands are automatically set to privilege level 15--unless you set them individually to different levels. This is necessary
because you can’t execute, for example, the
show
ip command unless you have access to
show commands.
To change the privilege level of a group of commands, use the
all keyword. When you set a group of commands to a privilege level using the
all keyword, all commands which match the beginning string are enabled for that level, and all commands which are available in
submodes of that command are enabled for that level. For example, if you set the
show
ip keywords to level 5, show and ip will be changed to level 5 and all the options that follow the
show
ip string (such as
show
ip
accounting ,
show
ip
aliases ,
show
ip
bgp , and so on) will be available at privilege level 5.
The table below shows some of the keyword options for the mode argument in the
privilege command. The available mode keywords will vary depending on your hardware and software version. To see a list of available
mode options on your system, use the
privilege
? command.
Table 2. mode Argument Options
Command
|
Description
|
accept-dialin
|
VPDN group accept dialin configuration mode
|
accept-dialout
|
VPDN group accept dialout configuration mode
|
address-family
|
Address Family configuration mode
|
alps-ascu
|
ALPS ASCU configuration mode
|
alps-circuit
|
ALPS circuit configuration mode
|
atm-bm-config
|
ATM bundle member configuration mode
|
atm-bundle-config
|
ATM bundle configuration mode
|
atm-vc-config
|
ATM virtual circuit configuration mode
|
atmsig_e164_table_mode
|
ATMSIG E164 Table
|
cascustom
|
Channel-associated signalling (cas) custom configuration mode
|
config-rtr-http
|
RTR HTTP raw request Configuration
|
configure
|
Global configuration mode
|
controller
|
Controller configuration mode
|
crypto-map
|
Crypto map config mode
|
crypto-transform
|
Crypto transform config modeCrypto transform configuration mode
|
dhcp
|
DHCP pool configuration mode
|
dspfarm
|
DSP farm configuration mode
|
exec
|
Exec mode
|
flow-cache
|
Flow aggregation cache configuration mode
|
gateway
|
Gateway configuration mode
|
interface
|
Interface configuration mode
|
interface-dlci
|
Frame Relay DLCI configuration mode
|
ipenacl
|
IP named extended access-list configuration mode
|
ipsnacl
|
IP named simple access-list configuration mode
|
ip-vrf
|
Configure IP VRF parameters
|
lane
|
ATM Lan Emulation Lecs Configuration Table
|
line
|
Line configuration mode
|
map-class
|
Map class configuration mode
|
map-list
|
Map list configuration mode
|
mpoa-client
|
MPOA Client
|
mpoa-server
|
MPOA Server
|
null-interface
|
Null interface configuration mode
|
preaut
|
AAA Preauth definitions
|
request-dialin
|
VPDN group request dialin configuration mode
|
request-dialout
|
VPDN group request dialout configuration mode
|
route-map
|
Route map configuration mode
|
router
|
Router configuration mode
|
rsvp_policy_local
|
|
rtr
|
RTR Entry Configuration
|
sg-radius
|
RADIUS server group definition
|
sg-tacacs+
|
TACACS+ server group
|
sip-ua
|
SIP UA configuration mode
|
subscriber-policy
|
Subscriber policy configuration mode
|
tcl
|
Tcl mode
|
tdm-conn
|
TDM connection configuration mode
|
template
|
Template configuration mode
|
translation-rule
|
Translation Rule configuration mode
|
vc-class
|
VC class configuration mode
|
voiceclass
|
Voice Class configuration mode
|
voiceport
|
Voice configuration mode
|
voipdialpeer
|
Dial Peer configuration mode
|
vpdn-group
|
VPDN group configuration mode
|
Examples
The following example shows how to set the
configure command to privilege level 14 and establish SecretPswd14 as the password users must enter to use level 14 commands:
privilege exec level 14 configure
enable secret level 14 SecretPswd14
The following example shows how to set the
show and
ip keywords to level 5. The suboptions coming under
ip will also be allowed to users with privilege level 5 access:
Router(config)# privilege exec all level 5 show ip
The following two examples demonstate the difference in behavior between the
no form of the command and the use of the
reset keyword when using Cisco IOS software releases earlier than Releases 12.3(6) and Release 12.3(6)T.
Note |
As of Cisco IOS Releases 12.3(6) and 12.3(6)T, the
no form of the
privilege command and the
reset keyword perform the same functions.
|
! show currently configured privilege commands
Router# show running-config | include priv
privilege configure all level 3 interface
privilege exec level 3 configure terminal
privilege exec level 3 configure
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# no privilege exec level 3 configure terminal
Router(config)# end
! show currently configured privilege commands
Router# show running-config | include priv
privilege configure all level 3 interface
privilege exec level 15 configure terminal
privilege exec level 15 configure
Note that in the
show
running-config output above, the privilege command for “configure terminal” still appears, but now has the default privilege level assigned.
To remove a previously configured privilege command entirely from the configuration, use the
reset keyword, as shown in the following example:
! show currently configured privilege commands
Router# show running-config | include priv
privilege configure all level 3 interface
privilege exec level 3 configure terminal
privilege exec level 3 configure
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# privilege exec reset configure terminal
Router(config)#
Router# show running-config | include priv
privilege configure all level 3 interface
Router#