Security - assigning privilege levels, syntax and behavior

When issuing privilege levels for users on an ASA device or a Cisco IOS router, the syntax can be confusing. For example, when issuing the following privilege command:

privilege interface level 8 no shutdown

the resulting commands in the running configuration become:

privilege interface level 8 shutdown privilege interface level 8 no shutdown privilege interface level 8 no

So by default, each individual keyword is added as a separate command as well as the command as a whole.

Now let's say I create a user and assign that user privilege level 8. They will be able to use the no, shutdown, and the no shutdown commands.

Now what happens if I add this command:

privilege interface level 9 no

The running config now looks like this:

privilege interface level 8 shutdown privilege interface level 8 no shutdown privilege interface level 9 no

Now how will that affect our user who is still at privilege level 8? Well, they will be able to issue the shutdown command, but not the no shutdown command since no is now part of privilege level 9. This is the case even though no shutdown as a complete command is privilege level 8.

Links:

https://forum.networklessons.com/t/aaa-local-command-authorization/1029/25?u=lagapides

https://networklessons.com/cisco/ccna-routing-switching-icnd2-200-105/aaa-authentication-on-cisco-ios