By default, only privilege

emailsbecker · ‎05-03-2016

I've run across something that has me curious. I've been playing with user account privilege levels on some routers & switches running IOS 12.2. I've found many webpages that explain how to set/modify the privilege level of specific commands, but I've found no documentation of what commands are included with the different privilege levels by default. Does any such documentation exist?

For example, say I have a local account with privilege level 5. Apparently by default privilege level 5 doesn't allow a user to clear interface counters. A higher level user could go into config and do "privilege exec level 5 clear counters" .... but unless one of the level 5 privileged users tells me they can't clear counters I wouldn't have had any way of knowing that command was blocked to them.

I've not found any command that will let me see which commands have been associated with a particular privilege level. The only thing I do know is that commands that have had their privilege levels modified will show up in the running config. But that doesn't help me know what the command defaults are.

Any thoughts?

Philip D'Ath · ‎05-03-2016

By default, only privilege level 15 gives you anything. Levels 2 through 14 all give the same result by default.

emailsbecker · ‎05-04-2016

> Levels 2 through 14 all give the same result by default.

Yes, I know. But what IS that result? As I said above, had a user not told me I wouldn't have known that clearing counters was not permitted.

Is there documentation of what commands are associated with the different privilege levels by default?