I thought I could get this done by doing the following:
privilege cmd level 6 mode exec command userBut under a user with that priv level the user can only do the following
user newuserThey can’t assign a password and priv level.
Maybe there is a better / another way to do this?
Answer
In exec mode, user expands to user-alert; this isn’t what you want.
You’re probably looking for something more along these lines:
privilege cmd level 6 mode configure command username
And then possibly some allowances for config-username mode:
privilege cmd level 6 mode username command service-type
privilege cmd level 6 mode username command group-lock
...
But that’s worthless as anything other than a thought exercise. If I’m a restricted level 6 user, and I’m allowed to run the username command in configure mode, then I can create myself a level 15 user; it’s just a waste of effort to put a completely ineffective restriction in place. Adam’s exactly right, TACACS+ should be used for this.
Attribution
Source : Link , Question Author : evolvd , Answer Author : Shane Madden
