Hello Dear, I did that already, After login by new Read-only User, it asks for enable password(which i do not want to share with this new user too), but once i enter enable password, i am able to go into config mode and etc

You can try below : ( also please provide device model and IOS Code)

enable password level 3 mypassword

still issue post the complete configuraiton - we may need to understand full config here.

I am not able to access with new level 3 enable password, and if i access by MY anable password, new-user is able to enter into the config mode, below is the config details.

02-GW#sh runn
Building configuration...

Current configuration : 8444 bytes
!
! Last configuration change at 15:19:45 EEST Mon Feb 22 2021 by cyber
version 15.3
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname 02-GW
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret level 3 5 $1$PqKQ$o09h2RqaJZ02kGOeTHLrC.
enable secret 5 $1$bt7y$E2cMC.v10Tn/6gnQki5Dw.
!
aaa new-model
!
!
aaa authentication login VTY-login local enable
!
!
!
!
!
aaa session-id common
clock timezone EEST 3 0
!
!
!
!
!
!

!
!
!
!
ip domain name abc
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
login block-for 65535 attempts 9 within 180
login quiet-mode access-class Strict-Access
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VA-K9 sn FCZ2046144P
license accept end user agreement
license boot module c800 level advipservices
!
!
archive
path scp://xyz
write-memory
time-period 1440
username superme privilege 15 secret 5 $1$soZ7$YUYVm5mH2cDYgWICoqzvM0
username cyber privilege 3 password 7 045812040A334F
!
!
!
!
!
controller VDSL 0
!
ip ftp username FTP-MAT
ip ftp password 7 12340403130C09167E7D767E636574
ip ssh source-interface Vlan210
ip ssh version 2
no ip ssh server authenticate user password
!
!
!
!
!
!
!
!
!
!
interface ATM0
no ip address
load-interval 30
atm vc-per-vp 64
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
switchport access vlan 210
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport access vlan 300
no ip address
!
interface Vlan1
no ip address
!
interface Vlan210
ip address 172.16.2.2 255.255.255.252
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
!
interface Vlan300
ip address x.y.z.
ip access-group Blocking_Ports_(External) in
ip nat outside
ip virtual-reassembly in
!
router ospf 2
network 172.16.2.0 0.0.0.3 area 0.0.0.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip flow-export source Vlan210
ip flow-export version 9
ip flow-export destination 192.168.12.103 60102
!
ip dns server
ip nat inside source list 1 interface Vlan300 overload
ip nat inside source static tcp 192.168.102.100 544 xyz 554 extendable
ip nat inside source static tcp 192.168.102.100 8000 xyz 8000 extendable
ip nat inside source static tcp 172.16.2.1 54436 xyz 54436 extendable
ip route 0.0.0.0 0.0.0.0 xyz
!
ip access-list standard Strict-Access
permit 192.168.102.5 log

permit 10.12.100.0 0.0.0.255 log
deny any log
!
ip access-list extended Blocking_Ports_(External)

deny tcp any host 172.16.2.2 eq 139 log
deny tcp any host 172.16.2.2 eq telnet log
permit ip any any
ip access-list extended Deny_Outside_DNS_Requests
deny tcp any any eq domain log
deny udp any any eq domain log
permit ip any any
!
logging trap debugging
logging source-interface Vlan210
logging host 192.168.12.103
!
snmp-server group prtg-admin v3 priv
snmp-server group prtg-snmp-G v3 priv
snmp-server community MAT-com-1 RO
snmp-server host 192.168.12.103 version 3 priv prtg-admin
access-list 1 permit 192.168.102.0 0.0.0.255
access-list 1 permit 172.16.2.0 0.0.0.3
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
privilege exec level 3 show vlan-switch
privilege exec level 3 show vlans
privilege exec level 3 show startup-config
privilege exec level 3 show
banner motd ^CC

___ _ _ _ __ __
/ _ \ | \ | || | \ \ / /
| | | || \| || | \ V /
| |_| || |\ || |___ | |
\___/ |_| \_||_____||_|

_ _ _ _____ _ _ ___ ____ ___ _____ _____ ____
/ \ | | | ||_ _|| | | | / _ \ | _ \ |_ _||__ /| ____|| _ \
/ _ \ | | | | | | | |_| || | | || |_) | | | / / | _| | | | |
/ ___ \| |_| | | | | _ || |_| || _ < | | / /_ | |___ | |_| |
/_/ \_\\___/ |_| |_| |_| \___/ |_| \_\|___|/____||_____||____/

___ _____ ____ _____ _ _____ _____ ____ _ _ _
|_ _||_ _| / ___||_ _| / \ | ___|| ___| / ___| / \ | \ | |
| | | | \___ \ | | / _ \ | |_ | |_ | | / _ \ | \| |
| | | | ___) | | | / ___ \ | _| | _| | |___ / ___ \ | |\ |
|___| |_| |____/ |_|/_/ \_\|_| |_| \____|/_/ \_\|_| \_|

_ ____ ____ _____ ____ ____ _
/ \ / ___|/ ___|| ____|/ ___|/ ___| | |
/ _ \ | | | | | _| \___ \\___ \ | |
/ ___ \| |___| |___ | |___ ___) |___) ||_|
/_/ \_\\____|\____||_____||____/|____/ (_)

^C
!
line con 0
logging synchronous
login authentication VTY-login
no modem enable
line aux 0
line vty 0 4
access-class Strict-Access in
logging synchronous
login authentication VTY-login
transport input ssh
!
scheduler allocate 20000 1000
ntp source Vlan210
ntp server 192.168.105.200

!
end

02-GW#

If you are using Local Login users below basic config - and add as suggested authorisation comands and test it - make sure ( do not write config - any point of time until you test all working as expected) - if not you need to get in to recovery password. - best is console based changes is suggested.

aaa new-model
aaa authentication login default local
username admin privilege 15 password mypassword
username readonly privilege 3 password mypassword

line vty 0 4
login authentication default

For more authorisation commands :

http://www.dslreports.com/faq/9815

So this has always annoyed me in regards to Cisco privilege levels, the fact there are 2, everything at 15, and then whatever other number you pick and then you get to manually type out all the various commands for that number. But what this user found out from 5 years ago was that there is really just one, privilege level 15, you can make as many as you want and they can type anything you outline in your privilege commands, but by the default filesystem privilege is only ever 15, so unless you're level 15 you can do NOTHING outside of issuing commands blind, because seeing the running config, and about everything else needs file access, and that is for only level 15 (unless you change that, then you are no longer STIG compliant).

If you you want to access the show run commands from anything besides a level 15 issue this to match first.
file privilege xx

It would be nice to see a "read-only" alternate that was say hard-coded to one of the other numbers.
I found this thread by looking for something else, hopefully this helps the next person that finds it, I too struggled with this long ago when trying to develop an account for a junior tech.

From a security point of view, things change over time, so always use the latest best practices rather than outdated suggestions, and meet the requirements.

If any AAA Server is centrally managed, it is easy to profile like ISE.

If this is still local, it depends on the device and model; we can use a different command syntax.

as soon as you give enable password as Priv 15, you get most of it.

Try adding user with priv 5 and test it - let me replicate later today.

15X IOs should work as expected. try here an example :

https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/23383-showrun.html