These features are for limiting what users can do when logged in. ## Local Privilege Levels Uses **privilege levels** to control command access: - **Level 0**: Very limited (e.g., `logout`) - **Level 1**: Default user mode - **Level 15**: Full access (enable mode) - **Levels 2–14**: User-defined ### Local Privilege Configs ```plaintext privilege exec level 1 show run privilege configure level 1 interface privilege interface level 1 ip address ``` > You will only see commands at your privilege level. For example, if you're level 1, `show running-config` only displays level 1-configured sections. ## AAA for Local Authentication ```plaintext aaa new-model username admin password cisco aaa authentication login default local aaa authorization exec default local ``` ## Role-Based Access Control (RBAC) More granular than privilege levels. - **Roles = Views** - Views define command access - Can be **enabled manually** or **assigned to users** - Requires **AAA enabled** ### Parsers & Views ```plaintext parser view FIRST inclusive secret firstpass command exec exclude show version command exec exclude show all ip command exec exclude configure terminal parser view SECOND secret secondpass command exec include show version command exec include show all ip command exec include-exclusive configure terminal ``` > `inclusive` views deny by default, and only allow included commands. > `exclusive` views allow by default, and only deny explicitly excluded commands. > `include-exclusive` means this command can **only belong to this view**. ### Assigning Views to Users ```plaintext username admin view SECOND password cisco aaa authentication enable default enable aaa authorization exec default local ``` Note that users can switch views while logged in with the `enable view [view-name]` command, and will have to enter the views specific password.