Good Morning,

I have a particular situation where I need specific user privilege level and I'm trying to figure out the most efficient way to create what I need.

Essentially, I have a student classroom where I am training a group of students. I have set up all my of router and switch configurations the way I need them for the class. Even though I instruct the students to not make permanent changes to the configs, I have some that do so anyway, and wind up wasting time for other students who have to work on the same equipment after them. Even worse, they are saving these changes to the base configuration up in flash, making a system reload ineffective.

What I need is this: I need to create a user privilege level that will allow the users to just about everything EXCEPT "wr mem", "copy run start" or "copy run flash:/xxxxx".  They need to be able to show running configs, create access lists, drop MACs, the works. I just need to find a way to prevent them from saving anything to the running config, startup config or the base config stored in flash.

I would appreciate any ideas that can be passed along. I understand how to build different privilege levels as for as the documentation is concerned. But from what I understand, those custom levels are built by giving specific permissions as to what the user CAN do. It would be great if I could figure out an efficient way to create a privilege level that has all the same permissions as level 15, but being unable to save anything (something they CAN'T do).

Thanks in advance for any and all advice.

-John