Security - assigning priviledge levels, syntax and behavior
When issuing privilege levels for users on an ASA device or a Cisco IOS router, the syntax can be confusing. For example, when issuing the following privilege command:
privilege interface level 8 no shutdown
the resulting commands in the running configuration become:
privilege interface level 8 shutdown privilege interface level 8 no shutdown privilege interface level 8 no
So by default, each individual keyword is added as a separate command as well as the command as a whole.
Now let's say I create a user and assign that user privilege level 8. They will be able to use the
shutdown, and the
no shutdown commands.
Now what happens if I add this command:
privilege interface level 9 no
The running config now looks like this:
privilege interface level 8 shutdown privilege interface level 8 no shutdown privilege interface level 9 no
Now how will that affect our user who is still at privilege level 8? Well, they will be able to issue the
shutdown command, but not the
no shutdown command since
no is now part of privilege level 9. This is the case even though
no shutdown as a complete command is privilege level 8.