[c-nsp] Setting up a RO user in IOS-XR and IOS-XE

Gert Doering gert at greenie.muc.de
Mon Feb 16 10:55:37 EST 2026 

Hi,

On Mon, Feb 16, 2026 at 05:40:21PM +0200, Hank Nussbacher via cisco-nsp wrote:
> Under IOS-XE if we do:
> 
> username <username> privilege 1 secret <password>
> 
> the user has no ability to do any show commands.

Unless there is "something in the config" that puts "show" to priv level 15,
this is exactly how you do it...

ar3.sv3-2>sh priv
Current privilege level is 1
ar3.sv3-2>sh ver
Cisco IOS XE Software, Version 17.09.05a
...
ar3.sv3-2>sh ip int brief
Interface              IP-Address      OK? Method Status                Protocol
Te0/0/0                unassigned      YES NVRAM  up                    up      


(in this case, the priv=1 comes from TACACS, but "show priv" is 
authoritative enough)

[..]
> but "task read" requires many additional parameters such as ???task read
> ospf???, ???task read acl???, ???task read bgp???, ???task read ipv4??? ,
> etc.
> 
> Can anyone provide the exact IOS-XE and IOS-XR commands to create a RO user?

IOS XR does not have "a RO user", and no simple 1..15 privilege leveling
- you need to define fairly explicitly on which subsystems a use can have
"show" privs.

One of our boxes has, for example

taskgroup basic-admin
 task read bgp
 task read cdp
 task read cef
 task read rib
 task read ipv4
 task read ipv6
 task read l2vpn
 task read network
 task read interface
 task read ethernet-services
!
usergroup priv1
 taskgroup basic-admin

... because that is what the scripts that go there to look for info
need.

Another "RO user" could have read access on other things...

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20260216/18fbec5e/attachment.sig>

More information about the cisco-nsp mailing list