I am trying to setup some privilege restrictions for our NOC group that helps support our WAN circuits on Cisco IOS routers (ex. 4451). This user will only need access to a few commands and the ability to admin down an interface. We use Microsoft RADIUS for aaa and have a working configuration but it gives the user access to commands they don't really need. Trying to pair this down to alleviate any extra commands they do not need to have or inadvertent commands being run.

The user can access router now and it puts them in User Exec mode and do not have to enter enable to get to config t (which we perfer them to not know the enable password). I may not be fully understanding the use of the privilege commands, the priv levels with RADIUS, or may the need for aaa authorization.

example of the commands this user group needs are the following:
show logging
show interface xx/xx/xx
show bgp
show bgp summary
show ip ospf neighbors
show ip route
clear counters on an interface

On RADIUS we have NPS policy setup for AD group and AV-Pair with shell:priv-lvl=1

--aaa on the router--
aaa group server radius PKI
aaa authentication login default local group PKI line

--privilege commands currently on the router--
privilege exec level 1 copy running-config startup-config
privilege exec level 1 copy running-config
privilege exec level 1 copy
privilege exec level 1 write memory
privilege exec level 1 write
privilege exec level 1 ping
privilege exec level 1 configure terminal
privilege exec level 1 configure
privilege exec level 1 show running-config
privilege exec level 1 show logging
privilege exec level 1 show
privilege exec level 1 clear counters
privilege exec level 1 clear
privilege interface level 1 shutdown
privilege configure level 1 interface