Today I had the need to create a user in Cisco ASA firewall that would have read-only permissions and also could issue
only 2 commands: show run and show conn. Here is how to do it.
We talk here about user with local authentication (with TACACS it is much easier).
Just as in Cisco routers you assign specific command to some privilege level different from its default level , then create user with this privilege level :
1) Assign command to specific privilege level ( I pick here level 3 , but it may be any but 15):
ciscoASA(config)# privilege show level 3 mode exec command conn
2) create username with privilege of the command you want him to give
ciscoASA(config)# username Joedoe password asdlgfuwe privilege 3
Now you have 2 options – create general enable password for this given level (3 here) ,so
any user after successful login can enter > enable 3 and enter it to get to level 3 enable
mode. Or , as I did here, not creating enable level 3 password at all and the user will have to enter its
privilege level using login command.
3) now user can connect by ssh (if allowed by Ip of course) :
Joedoe@10.10.10.7password:<enter user’s pass here>
ciscoASA# sh curpriv
Username : Joedoe
Current privilege level : 3
Current Mode/s : P_PRIV
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html" Cisco ASA Configuration Guide 8.0