CLI Command Privileges

You can change the privilege level of most commands by using the privilege command that is available in Global Configuration mode. To use this command, you must enable your CLI session to privilege level 15.

CLI Privilege Groups

You can change privilege group accessibility. Privilege groups are no longer required to be hierarchical. You can modify the privilege group membership and define which privilege group is a member of another privilege group.

A privilege group can contain commands and other privilege groups as members. A group always has access to commands in its own privilege group and in privilege group 0. By default, all groups have one member and a specific privilege group has access to all commands in all privilege groups with a lower number than the specific group.

A privilege group is reachable from another privilege group when it is a member of that privilege group, or a member of a group that is a member of that privilege group until a search of all member groups is exhausted. This can go through several recursions as long as there are no circular dependencies.

Privilege group 0 is not a member of any group and you cannot assign member groups to it, but it is reachable from every privilege group.

Numbers in the range 0—15 identify the 16 privilege groups. Each of the 16 groups can have a name or an alias. The default internal name is the privilege group number. By default, the groups are hierarchical and each group, with the exception of groups 1 and 0, contains one group. When a group contains a group, the contained group is a member of the original group: privilege group p has one member, privilege group p-1. For example, privilege group 15 has member 14, privilege group 14 has member 13, and privilege group 2 has member 1.

For hierarchical groups, groups 0 through 14 are reachable from privilege group 15, groups 0 through 13 are reachable from privilege group 14, groups 0 to 4 are reachable from 5, and so forth. Hierarchical groups can also contain other privilege groups. For example, group A is reachable from group B if group A is a member of group B or is a member of a group that is a member of group B. If group X has member Y and Y has member Z then Z is reachable from X.

You cannot configure circular dependencies. For example, you cannot configure a circular dependency where group X has member Y, Y has member Z, Z has member P, and X can reach Z and P. Group X cannot have member Z or P because Z and P are reachable through Y.

Examples Using Privilege Group Membership

In each of the following examples, privilege groups are at the default setting, where privilege group 0 is reachable from every privilege group, 15 contains 14, 14 contains 13, 13 contains 12, and so forth. The commands in each example change the privilege group settings from the default.

host1#show privilege group

privilege      privilege          directly          all
 group          group              reachable      reachable
               alias              groups            groups *
----------    ----------        --------       -----------------
0             minUser           --             --
1             --                --             0
2             --                1              0 1
3             --                2              0 1 2
4             --                3              0 1 2 3
5             basicUser         4              0 1 2 3 4
6             dailyTroll        5              0 1 2 3 4 5
7             weekendAdmin      1              0 1
8             --                14             0 14
9             --                --             0
10            dailyAdmin        6              0 1 2 3 4 5 6
11            --                5              0 1 2 3 4 5
12            --                5              0 1 2 3 4 5
13            LI                10             0 1 2 3 4 5 6 10
14            --                --             0
15            superUser         10 14          0 1 2 3 4 5 6 10 14 15

*Privilege Group can reach itself 

host1#show privilege group 15 superUser
The following groups are directly reachable:
14
dailyAdmin

The following groups are reachable:
1
14
2
3
4
basicUser
dailyAdmin
dailyTroll
minUser

CLI Command Exceptions

Changing command privilege levels can be a powerful security tool. However, changing the command privilege for some commands could render the CLI unusable and require you to reboot the router. To eliminate this possibility, the CLI does not allow you to remap the following commands:

• disable
• enable
• exit
• help
• privilege
• support

CLI Keyword Mapping

You cannot change the privilege level of keywords that are separated from the command string by a parameter in the command sequence. In other words, once the privilege algorithm reaches a parameter, the privilege algorithm that maps the commands to the desired privilege level stops and allows any keyword options that may follow in the command sequence. The algorithm then waits for a carriage return before looking at the next command sequence.

For example, you can change the command privilege level for the telnet command. However, because the telnet command is immediately followed by a variable (that is, a hostname or IP address) and not a keyword, you cannot change the privilege level for any keywords that follow the command.

Setting Privileges for Ambiguous Commands

The privilege command allows you to set command privilege levels for parts of commands that the CLI would normally consider ambiguous. In other words, you can set privilege levels by specifying letters that represent only the beginning part of a command or group of commands (even the first letter of a command or group of commands).

The following example sets the privilege level to 12 for any Exec mode (user or privileged) command that start with the letter “ t” :

The list of affected commands includes telnet, terminal, test, and traceroute.

The following example changes all the above commands, with the exception of the traceroute command, to level 15:

The following example changes all commands that start with the letters “ te” (for example, telnet, terminal, and test) and any second keyword that starts with the letter “ i” and follows a command that starts with the letters “ te” (for example, the keyword “ ip” in the command test ip) to level 1:

When you enter an ambiguous command and an exact match of the command is found, partial matches are ignored and are not modified.

For example, the traffic-class and traffic-class-group commands are available in Global Configuration mode. If you issue the privilege configure level 5 traffic-class command, an exact match is made to traffic-class, and traffic-class-group is not modified.

If you want to set the privilege level for both traffic-class and traffic-class-group and you do not want the exact match to be made to traffic-class, issue a partial command such as traffic-c. The privilege level of all commands that begin with traffic-c is modified.

Setting Privilege Levels for no or default Versions

The privilege command allows you to set command privilege levels for no and default versions of commands. However, setting the privilege level for either the no or default versions of a command does not set the privilege level of the affirmative version of the command. This means that you can have the no or default version of a command at a different privilege level than its affirmative version.

Note: You can set the no or default command to a separate privilege level without specifying any other command to follow. This would force all commands that have a no or default version to function only for that privilege level and higher. For example, if you issue the privilege exec level 10 no command, all no versions in the Privileged Exec mode are available to users at level 10 and higher.

Setting Privilege Levels for Multiple Commands

The all keyword is a wildcard parameter that enables you to set privilege levels for multiple commands rather than setting them individually.

Setting Privilege Levels for All Commands in a Mode

You can set the privilege level for all commands within a specified mode. This setting includes all commands in modes that you can access from a specified mode.

If the command specified in the privilege command changes the configuration mode, all commands in the configuration will also be set to the specified privilege level. For more information about accessing modes, see Accessing Command Modes.

For example, issuing the configure command in Privileged Exec mode changes the configuration mode to Global Configuration. If you issue the privilege exec all level 5 configure command, all commands in Global Configuration mode become accessible to users who have CLI privileges at level 5 and higher. For more information about user privilege levels, see Privileged-Level Access.

Setting Privilege Levels for a Group of Commands

You can set the privilege level for a group of commands by using the beginning keyword in a command.

For example, if you issue the privilege configure all level 5 snmp command, all commands in Global Configuration mode that begin with snmp become accessible to users who have CLI privileges at level 5 and higher.

Using the Order of Precedence

The effectiveness of a privilege level that is set with the all keyword depends on its precedence level in the CLI. A privilege level is considered to be in effect only if a privilege level that is configured at a higher precedence level does not override it.

The CLI uses the following order of precedence:

1. Privilege level set for all commands within a mode, including modes that are accessed from another mode; for example, Global Configuration mode
2. Privilege level set for all commands that begin with the same keyword; for example, snmp commands
3. Privilege level set for individual commands; for example, snmp-server community

   Note: This order of precedence does not apply to privilege levels that are set without the all keyword.

In the following example, the privilege level of the snmp-server community command is set to level 11, the privilege level for all commands that begin with snmp is set to level 10, and the privilege level for all commands in Global Configuration mode is set to level 5.

The following show configuration output displays the privilege levels set above. The privilege levels for the snmp-server community command and the snmp-server group of commands are still present in the output. However, the privilege level of Global Configuration mode takes precedence, and the privilege levels of the other commands are rendered ineffective. Users can access all snmp commands at level 5 or higher.

Superseding Privilege Levels with the all Keyword

Issuing the all keyword supersedes privilege levels that were previously set without the all keyword.

In the following example, the snmp-server-community command is set to level 7, and the snmp keyword is set to level 6. The privilege level of the snmp keyword does not override the snmp-server community setting, because both of these commands are set without the all keyword.

All snmp commands are then changed to level 5 with the all keyword.

The show configuration output displays all snmp commands at level 5, superseding the existing level 6 setting. The snmp-server community command is still present in the show configuration output, but it is ineffective.

Removing the all Keyword

Using the no version or reset version removes the all keyword and restores default privilege levels.

If the privilege setting of the mode or command for which you are restoring default privilege levels takes precedence over any ineffective privilege settings, those settings will automatically take effect according to the order of precedence (see Using the Order of Precedence ).

The difference between the no version and the reset version is that the reset version removes the configuration from the show configuration output. This is useful when you want to remove a configuration that has been overridden and rendered ineffective by a privilege level that takes precedence.

Setting Default Line Privilege

The factory default privilege level for the console line and all vty lines is 1. However, you can use the privilege level command in Line Configuration mode to set the default login privilege for the console line or any number of vty lines.

To change the default privilege level:

1. Access line configuration mode on the router for the console.
   host1(config)#line console 0 host1(config-line)#

   or on one or more vty lines

   host1(config)#line vty 0 12 host1(config-line)#

   Note: The latter command configures vty lines 0 to 12.

2. Specify a starting privilege level for the line or lines.
   host1(config-line)#privilege level 5

   The default privilege level for the specified line (or lines) changes. The new values take effect immediately for any new users. If using the console line, you must exit out of the CLI and reestablish a connection before the default takes effect.

   If you are validating through RADIUS or TACACS+ and the server specifies an enable level, that enable level takes precedence over the line privilege level.

Viewing CLI Privilege Information

You can view CLI privilege information for yourself (the current user), all connected users on the router, or for any modified CLI commands.

Viewing the Current User Privilege Level

Use the show privilege command to view your current privilege level.

Viewing Privilege Levels for All Connected Users

Use the show users detail command to view the privilege levels for all users currently connected to the router. See Monitoring the FTP Server for information about the show users detail command.

Viewing Privilege Levels for Changed CLI Commands

Use the show configuration command to view the changed privilege levels for any modified CLI commands. See Saving the Current System Configuration for information about the show configuration command.

Note: The show configuration command output displays output specific to the session access level. For example, if the session is enabled at level 5, issuing the show configuration command displays only output for commands at level 5 and below.