Security - privilege levels and command output

When configuring the privilege levels on a Cisco IOS device, it is possible to allow certain commands to be available in lower privilege levels, however, this does not mean that the output of those commands will also be available.

For example, if you configure the following:

R1(config)#privilege exec level 1 show running-config

and then attempt to run this command from the user mode like so, you get the following result:

R1>show running-config R1>

You can see that the command was run successfully, since there are no error messages, however, there is no output!

The reason you see no output is that while the command is recognized (and not invalid), the device’s security settings prevent the display of configuration details at that current privilege level. It’s a security measure to prevent unauthorized viewing of sensitive configuration details. So the privilege level doesn’t have the necessary rights to output the config file info on the screen.

Indeed, only privilege level 15 allows for the running configuration to be displayed as a result of this command. All lower privilege levels will not display the output of this command.

The privilege level 15 is also called privileged executive mode, and can also be entered using the enable keyword.