I created a privilege level 3 user. But I didn't find a command that gave the "match" command permission to the created "class-map"(default type: qos) .Even I added all the relevant commands related to the "match" command permission.

show version:

cisco ISR4351/K9 (2RU)

Cisco IOS XE Software, Version 16.06.04 Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.4, RELEASE SOFTWARE (fc3)

To achieve level 3 users can only enter the following command:

class-map xxx

 match access-group name xxx

Added permissions:

username xxx privilege 3 password 7 xxx
privilege cfg-bs-fs level 3 match
privilege isakmp-profile level 3 match
privilege crypto-map-fail-close level 3 match
privilege crypto-ipsec-profile level 3 match
privilege crypto-map level 3 match
privilege oer_mc_map level 3 match
privilege ipenacl level 3 permit ip host
privilege ipenacl level 3 permit ip any host
privilege ipenacl level 3 permit ip any any
privilege ipenacl level 3 permit ip any
privilege ipenacl level 3 permit ip
privilege ipenacl level 3 permit
privilege ipenacl level 3 no permit ip host
privilege ipenacl level 3 no permit ip any host
privilege ipenacl level 3 no permit ip any any
privilege ipenacl level 3 no permit ip any
privilege ipenacl level 3 no permit ip
privilege ipenacl level 3 no permit
privilege conf-rad-filter level 3 match
privilege tcl level 3 configure terminal
privilege tcl level 3 configure
privilege tcl level 3 show flow monitor name
privilege tcl level 3 show flow monitor
privilege tcl level 3 show flow
privilege tcl level 3 show
privilege policy-list level 3 match
privilege l2vpn-xc level 3 match
privilege xconnect-vc-config level 3 match
privilege xconnect-cem-sig-config level 3 match
privilege xconnect-cem-data-config level 3 match
privilege xconnect-cem-config level 3 match
privilege xconnect-pvp-config level 3 match
privilege xconnect-pvc-config level 3 match
privilege xconnect-dlci-config level 3 match
privilege xconnect-conn-config level 3 match
privilege xconnect-subif-config level 3 match
privilege xconnect-if-config level 3 match
privilege fqdn-acl-name level 3 match
privilege flowrec level 3 match
privilege fr-vcb-bmode level 3 match
privilege route-map level 3 match
privilege cm-ac level 3 match
privilege policymap-service level 3 no
privilege policymap-service-classmap level 3 police
privilege config-mdns-sd-sl level 3 match
privilege ip-portbundle level 3 match
privilege vrrp-grp level 3 match-address
privilege configure level 3 ip access-list extended
privilege configure level 3 ip access-list
privilege configure level 3 policy-map
privilege configure level 3 class-map type control
privilege configure level 3 class-map type traffic
privilege configure level 3 class-map type
privilege configure level 3 class-map
privilege configure level 3 ip
privilege configure level 3 no ip access-list extended
privilege configure level 3 no ip access-list
privilege configure level 3 no policy-map
privilege configure level 3 no class-map type control
privilege configure level 3 no class-map type traffic
privilege configure level 3 no class-map type
privilege configure level 3 no class-map
privilege configure level 3 no ip
privilege configure level 3 no
privilege exec level 3 configure terminal
privilege exec level 3 configure
privilege exec level 3 show flow monitor name
privilege exec level 3 show flow monitor
privilege exec level 3 show flow
privilege exec level 3 show

Level 3 user login:

RT-IRS4351(config)#class-map ?
WORD class-map name
match-all Logical-AND all matching statements under this classmap
match-any Logical-OR all matching statements under this classmap
type Configure CPL Class Map

RT-IRS4351(config)#class-map xxx
RT-IRS4351(config-cmap)#?
Class-map configuration commands:
exit Exit from class-map configuration mode
no Negate or set default values of a command

 I suspect this is a bug, because there is no option for the class-map default type qos in the privilege command.