10.2 Basic Security
10.2.7 Controlling privilege levels
The two default levels of access are user and privileged. The user level allows users to perform certain commands but does not give them the ability to modify the configuration or perform a debug. At the other end of the spectrum, the privileged level allows users to issue all commands, including configuration and debug commands.

The Cisco IOS command set provides users with levels of privilege access.  This is accomplished by using the privilege level command. This allows network administrators to provide a more granular set of access rights to Cisco network devices.

Sixteen different levels of privilege can be set, ranging from 0 to 15. Level 1 is the default user EXEC privilege. The highest level, 15, allows the user to have all rights to the device. Level 0 can be used to specify a more limited subset of commands for specific users or lines. For example, you can allow user "guest" to use only the show users and exit commands.

Note: The five commands associated with privilege level 0 are disable, enable, exit, help, and logout. If you configure a centralized authorization server, such as an AAA server, for a privilege level greater than 0, these five commands will not be included. At other privilege levels you must specify the commands that are authorized for that privilege level. Use the privilege command to define the commands that can be entered at that privilege level.

Router (config)#privilege mode level level command

Where mode equals one of the entries in Figure .

Use the enable secret level level password command to set the password for the privilege level. The following example shows a user named "student" logging in with a privilege level of 3. The privilege level 3 has been assigned a password of "san-jose." The user will inherit all the commands that have been listed under the privilege mode level 3 command as it is listed in Figure .