I'm trying to setup a local user with limited access on a Cisco ASA firewall (5525-X running 9.4.1)

I have alread setup the firewall for the ASA default read-only (level 5) and monitor-only (level 3) User roles.

What I need to do now is to create a new User Role at Level 7.

This user needs to be able to add and remove rules, NATs and objects only.

I have set the below commands to privilege level 7.

CUSTX-HA-FW/pri/act#  show run | i level 7
privilege cmd level 7 mode exec command asdm
privilege show level 7 mode exec command object-group
privilege show level 7 mode exec command nat
privilege show level 7 mode configure command object-group
privilege show level 7 mode configure command object
privilege show level 7 mode configure command nat
privilege clear level 7 mode exec command object-group
privilege clear level 7 mode exec command access-list
privilege clear level 7 mode exec command nat
privilege cmd level 7 mode configure command configure
privilege cmd level 7 mode configure command object
privilege cmd level 7 mode configure command object-group
privilege cmd level 7 mode configure command access-list
privilege cmd level 7 mode configure command asdm
privilege cmd level 7 mode configure command nat
privilege clear level 7 mode configure command nat
privilege clear level 7 mode configure command access-list
privilege clear level 7 mode configure command object-group
privilege clear level 7 mode configure command object
privilege cmd level 7 mode network-object-group command network-object
privilege cmd level 7 mode session_network-object-group command network-object

ORIGIN-HA-FW/pri/act# show run username
username test7 password XXXXXX encrypted privilege 7

When I log into the Firewall using a test account it is always in 'read-only' mode so I don't have the 'add' buttons in the configuration panes.

Can anyone point me in the right direction of what I am missing??