https://community.cisco.com/t5/network-security/asa-user-with-low-privilege/m-p/3036031#M144990 <P><SPAN><A href="https://supportforums.cisco.com/users/nurbol555">nurbol555</A></SPAN>&nbsp; ,</P> <P>The ASA capabilities are a bit different than IOS. On an ASA, here would be the command:</P> <PRE class="prettyprint">asa-5512(config)# privilege cmd level 14 mode exec command show ?<BR /><BR />configure mode commands/options:<BR /> &lt;cr&gt;<BR />asa-5512(config)# privilege cmd level 14 mode exec command show</PRE> <P>Note that you cannot add "version" after show.&nbsp;However as noted in the link I provided earlier, we can use privilege level 0 which includes show version and a few other commands.</P> <P>We would then add the user thus:</P> <PRE class="prettyprint">asa-5512(config)# username showuser password showuser123 privilege 0</PRE> <P>This new user has access to a limited set of show commands but cannot configure:</P> <PRE class="prettyprint">[c:\~]$ ssh showuser@x.x.x.x<BR /><BR />Connecting to x.x.x.x:22...<BR />Connection established.<BR />To escape to local shell, press 'Ctrl+Alt+]'.<BR />Type help or '?' for a list of available commands.<BR /><BR />asa-5512&gt; show ?<BR /> checksum Display configuration information cryptochecksum<BR /> community-list List community-list<BR /> curpriv Display current privilege level<BR /> disk0: Display information about disk0: file system<BR /> disk1: Display information about disk1: file system<BR /> environment Show environment information<BR /> flash: Display information about flash: file system<BR /> history Display the session command history<BR /> import Show imported objects<BR /> inventory Show all inventory information for all slots<BR /> policy-list List IP Policy list<BR /> prefix-list List IP prefix lists<BR /> software Show software information<BR /> version Display system software version<BR />asa-5512&gt; show run<BR /> ^<BR />ERROR: % Invalid input detected at '^' marker.<BR />asa-5512&gt;</PRE> Mon, 17 Apr 2017 13:42:26 GMT Marvin Rhoads 2017-04-17T13:42:26Z https://community.cisco.com/t5/network-security/asa-user-with-low-privilege/m-p/3036028#M144987 <P>Dears ,</P> <P></P> <P>i want to know which privilege i suppose to use to allow certain user to do "sh version" command as i tried some privilege and they all do the same&nbsp;</P> <P>as privilege 15</P> Tue, 12 Mar 2019 09:13:40 GMT https://community.cisco.com/t5/network-security/asa-user-with-low-privilege/m-p/3036028#M144987 mohamed.fawzy2012 2019-03-12T09:13:40Z https://community.cisco.com/t5/network-security/asa-user-with-low-privilege/m-p/3036029#M144988 <P>I don't think you can restrict access to only "show version" but you cannot restrict access to "show" commands only on an ASA with local database for AAA.</P> <P>Assign the user a non-default privilege level say level 10. Then customize the "show version" commmand to be available to a user with less than full enable (level 15) privilege.</P> <P>More info:</P> <P>https://supportforums.cisco.com/discussion/10987506/asa-privilege-levelsviews</P> <P>http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/p3.html#pgfId-2175310</P> Sun, 16 Apr 2017 11:29:29 GMT https://community.cisco.com/t5/network-security/asa-user-with-low-privilege/m-p/3036029#M144988 Marvin Rhoads 2017-04-16T11:29:29Z https://community.cisco.com/t5/network-security/asa-user-with-low-privilege/m-p/3036030#M144989 <P>Hello!</P> <P></P> <P>You can use for example &nbsp;command&nbsp;</P> <P><SPAN style="font-family: 'Courier New';">privilege exec level 14 show&nbsp;version<BR /> </SPAN></P> <P><SPAN style="font-family: 'Courier New';"></SPAN></P> Mon, 17 Apr 2017 10:18:27 GMT https://community.cisco.com/t5/network-security/asa-user-with-low-privilege/m-p/3036030#M144989 nurbol555 2017-04-17T10:18:27Z https://community.cisco.com/t5/network-security/asa-user-with-low-privilege/m-p/3036031#M144990 <P><SPAN><A href="https://supportforums.cisco.com/users/nurbol555">nurbol555</A></SPAN>&nbsp; ,</P> <P>The ASA capabilities are a bit different than IOS. On an ASA, here would be the command:</P> <PRE class="prettyprint">asa-5512(config)# privilege cmd level 14 mode exec command show ?<BR /><BR />configure mode commands/options:<BR /> &lt;cr&gt;<BR />asa-5512(config)# privilege cmd level 14 mode exec command show</PRE> <P>Note that you cannot add "version" after show.&nbsp;However as noted in the link I provided earlier, we can use privilege level 0 which includes show version and a few other commands.</P> <P>We would then add the user thus:</P> <PRE class="prettyprint">asa-5512(config)# username showuser password showuser123 privilege 0</PRE> <P>This new user has access to a limited set of show commands but cannot configure:</P> <PRE class="prettyprint">[c:\~]$ ssh showuser@x.x.x.x<BR /><BR />Connecting to x.x.x.x:22...<BR />Connection established.<BR />To escape to local shell, press 'Ctrl+Alt+]'.<BR />Type help or '?' for a list of available commands.<BR /><BR />asa-5512&gt; show ?<BR /> checksum Display configuration information cryptochecksum<BR /> community-list List community-list<BR /> curpriv Display current privilege level<BR /> disk0: Display information about disk0: file system<BR /> disk1: Display information about disk1: file system<BR /> environment Show environment information<BR /> flash: Display information about flash: file system<BR /> history Display the session command history<BR /> import Show imported objects<BR /> inventory Show all inventory information for all slots<BR /> policy-list List IP Policy list<BR /> prefix-list List IP prefix lists<BR /> software Show software information<BR /> version Display system software version<BR />asa-5512&gt; show run<BR /> ^<BR />ERROR: % Invalid input detected at '^' marker.<BR />asa-5512&gt;</PRE> Mon, 17 Apr 2017 13:42:26 GMT https://community.cisco.com/t5/network-security/asa-user-with-low-privilege/m-p/3036031#M144990 Marvin Rhoads 2017-04-17T13:42:26Z