Group has the higher priority. If an SNMP user belonging to an SNMP group is not configured with the password or if the group security level is not the same as the user security level, the error shown is "AUTHORIZATION_ERROR". The Cisco-specific error message for this scenario is "unknownUserName".

Check this:

http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/configuration/xe-3se/3850/nm-snmp-snmpv3.html#GUID-DCB20ADF-1F8E-434B-AE97-54802879F34F

-Thanks

Hi. Before I found this answer and the link Vinod Arya provided, I had the same question, so I did some tests in GNS3 configuring different snmpv3 groups within a router cisco 2800 (i.e. a no-auth group, an auth group and a priv group); creating different users with different security levels  and making all the possible combinations between users and groups. After capturing with Wireshark those results (i'll put them at the end of the question) I write a "rule", the "general conclusion" of that dependency between the security level of groups and users, as follows:

- " Within the agent, the group's security level has precedence over the user's security level member of that group, if the group's security level is greater than the user's security level. This is explained with the following two scenarios. First scenario, If inside the agent, the group which the user belongs, does not have any securities (a noauth group) and the user inside of it has a security level greater, for example, authPriv; an external incoming request to the user of this agent, with authNoPriv security level, will be able to gather the information that was looking for, despite the user inside router's agent has configured both authentication and privacy protocols and keys. Second scenario, the opposite situation. When the group's security level is higher, for example authPriv and the user within the group has a lower security level (for example, a noAuthNoPriv user or a authNoPriv user)  an external incoming request to the user of this agent, with noAuthNoPriv or authNoPriv security level, will get a NULL response to the request.

That's why concordance must exist between the security level of both the group and the users members of that group.

Another important consideration is consider the interaction between user's security levels (admin and agents). The security level of the user has precedence over the request's security level of the admin console, because if the security level of the incoming request is higher than the configured for the user who it is asking to, the request won't be successfull and an error message "unsupported security level" will be sent to the admin console."  -

Please I want to know if the conclusion I reached after the analisis of the results of tests is correct, or if it's imprecise, you can help me to improve it.

In the link it doesn't say literally that the group has precedence, it mentions about the errors in the case of a missing password or inconsistence between group and user's security level. Also saying that the group's security level has precedence over the user's security level is not always true wich I think was demonstrated with the first scenario example, that's why I need to know if the explanation I wrote is good or is missing something.  Thanks in advance

Results of the tests: the image provided