What you want using local authentication is very difficult.
As you want the user to be able to show all the configs, that might not be possible. Reason for that is, in sh run, we have complete config, and most of the commands are at level 15, even though you bring down the level of command, in order to show everything, you would be required to bring all the commands down to level 7.
Which is not a feasible thing.
What you want to accomplish is possible using TACACS+ (ACS).
In which you can configure command authorization on the device, and restrict a user/group to only have access to do,
"sh run" and "no mac-address-table static h.h.h vlan <1-4096>"
and no other command.
And have one user/group to have access to all the command set on the device. You can have any combination that you want.
The second part that you need,
To let user be able to type command "no mac-address-table static h.h.h vlan <1-4096>"
this may be possible, but for that you would also be required to bring the level of vlan down to 7
you can give it a try.
But I'll go for command authorization.
But in case that is not even near to be feasible, then you can see if this work around works for you,
Please see one example below, and you do not require to alter the privilege level of commands too in command authorization as well as in the example below,
menu HELPDESK text 1 Running config
menu HELPDESK command 1 show runn
menu HELPDESK options 1 pause
menu HELPDESK text 2 Route
menu HELPDESK command 2 show ip route
menu HELPDESK options 2 pause
menu HELPDESK text 3 Interfaces
menu HELPDESK command 3 show interfaces
menu HELPDESK options 3 pause
menu HELPDESK text 4 Exit
menu HELPDESK command 4 exit
username password
username privilege 15
username autocommand menu HELPDESK
Regards,
Prem
