Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
170
Views
0
Helpful
4
Replies

privilege level command output

zietgiestt
Level 1
Level 1

‎10-24-2025 09:58 AM

Hello,

I have a contractor doing some work for me and he needs to see a few of my access switches.

I set him up with a username with privilege 5 and used a rotary group to allow him direct login to enable mode on a specific port.

Problem is when I tested, a sh run is not showing me any of the running config.

Am I doing something wrong?

2 different switches. 

both are 3560x running 15.2(1)E2

commands available to level 5

(output from admin login level 15)

#sh run | inc privilege

privilege exec level 5 show running-config
privilege exec level 5 show logging

(output under his login)

#sh run
Building configuration...

Current configuration : 115 bytes
!
! Last configuration change at 21:29:01 CDT Tue May 31 2011
!
boot-start-marker
boot-end-marker
!
!
!
!
!
!
end

#sh pri
Current privilege level is 5

 

 

Thanks,

 

D

 

Labels:
0 Helpful
4 Replies 4

Jens Albrecht
Spotlight
Spotlight

‎10-25-2025 12:58 PM

Hello @zietgiestt,

what you’re seeing is actually expected Cisco IOS behavior.

The “show running‑config” command only displays commands that the user has permission to modify at their current privilege level.
So if the privilege level does not include any configuration‑mode permissions, the command succeeds but returns almost no output.

This is a hard-coded security feature to prevent non‑admin users from reading sensitive configuration such as AAA, keys, passwords, or SNMP communities and implemented by configuration‑view filtering based on privilege level.

However, you can bypass this security restriction by using the file system and the 'more system:running‑config' command.
This allows the user to read the system: virtual file (which contains the entire running config):

! Authorize file access at privilege level 5
!
file privilege 5
!
! Allow the 'more' command at privilege level 5
!
privilege exec level 5 more
privilege exec level 5 show startup-config
privilege exec level 5 show logging
!
username contractor privilege 5 secret Cisco123

As a result the “contractor” user can log in and use the 'more system:running-config' as well as accessing the startup-config and the log files.

Needless to say that you need to be very careful when bypassing security features as they are implemented on purpose!

HTH!

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎10-26-2025 04:01 AM

is this a Local user or using any AAA?

check this guide and more explanation :

https://community.cisco.com/t5/networking-knowledge-base/configuring-privilege-levels-in-cisco-ios/ta-p/3119029

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

zietgiestt
Level 1
Level 1

‎10-24-2025 02:30 PM

Hello,

I have a contractor doing some work for me and he needs to see a few of my access switches.

I set him up with a username with privilege 5 and used a rotary group to allow him direct login to enable mode on a specific port.

Problem is when I tested, a sh run is not showing me any of the running config.

Am I doing something wrong?

2 different switches. 

both are 3560x running 15.2(1)E2

commands available to level 5

(output from admin login level 15)

#sh run | inc privilege

privilege exec level 5 show running-config
privilege exec level 5 show logging

(output under his login)

#sh run
Building configuration...

Current configuration : 115 bytes
!
! Last configuration change at 21:29:01 CDT Tue May 31 2011
!
boot-start-marker
boot-end-marker
!
!
!
!
!
!
end

#sh pri
Current privilege level is 5


Thanks,

 

D

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to zietgiestt

‎10-26-2025 06:33 AM

You are not doing anything wrong. It is one of the principles of the operating system that a user can not see things in the running config that they are not allowed to change. Try using show startup and see what you get.

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents