It is possible to change the privilege level of “show run” and assign it to something other than level 15. You can change the privilege level but you are likely to be surprised at the result when you do. A person executing “show run” can only see things that they have the ability to change. So someone executing the command at privilege level 8 would not have the ability to change anything and basically would see only an empty configuration.
The default configuration for Cisco IOS based networking devices uses privilege level 1 for user EXEC mode and privilege level 15 for privileged EXEC. The commands that can be run in user EXEC mode at privilege level 1 are a subset of the commands that can be run in privileged EXEC mode at privilege 15.
In Cisco IOS, the higher your privilege level, the more router access you have. When you log in to a Cisco router under the default configuration, you're in user EXEC mode (level 1). From this mode, you have access to some information about the router, such as the status of interfaces, and you can view routes in the routing table. However, you can't make any changes or view the running configuration file.
It is not sufficient to assign the show running-config command into a particular privilege level, rather if a person should be eligible to see a particular section of the configuration file; the particular commands must also be included in the respective privilege level.
So for example, consider the following set of privileges:
privilege interface level 5 shutdown
privilege interface level 5 ip address
privilege interface level 5 ip
privilege interface level 5 bandwidth
privilege configure level 5 interface
privilege exec level 5 show running-config
privilege exec level 5 show
The command show running-config will now display:
Current configuration : 425 bytes
!
boot-start-marker
boot-end-marker
!
!
!
!
!
interface Loopback0
ip address 10.255.255.1 255.255.255.255
!
interface FastEthernet0/0
no ip address
!
interface FastEthernet0/1
no ip address
shutdown
!
interface Serial1/0
bandwidth 512
ip address 10.0.0.1 255.255.255.0
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
shutdown
!
!
end
As you can see, the command output contains only the specific commands from the configuration that have been explicitly allowed using the privilege commands. Using the 'all' keyword in the privilege specification may help in simplifying the explicit list of sections that should be visible in the output, for example, privilege configure all level 5 interface - this will allow all interfaces and their internal configuration to be seen. There is no easy way to make the entire running-config to be visible in privilege levels less than 15.
The privilege command can also be used to assign a privilege level to a username so that when a user logs in with the username, the session will run at the privilege level specified by the privilege command. For example if you want your technical support staff to view the configuration on a networking device to help them troubleshoot network problems without being able to modify the configuration, you can create a username, configure it with privilege level 15, and configure it to run the show running-config command automatically. When a user logs in with the username the running configuration will be displayed automatically.