Just having a play around with role based access and "views". Not a feature I've used much in production. Below we will configure a view that only allows the use of the show interface commands. Then we will configure a use that when logging in via telnet or ssh will auto enable into the restricted view.
More info can be found [here] (Cisco.com). This feature was first added in 12.3(7)T.

First off we enable the root view. Other views can only be created/changed from inside the root view.

m00nies-router(config)#aaa new-model m00nies-router(config)#enable secret lalala m00nies-router(config)#^Z m00nies-router#disable m00nies-route>enable view *Mar 1 00:06:41.363: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.

Now we are in the "root view" we can create the new view called INTONLY.

m00nies-router#conf t m00nies-router(config)#parser view INTONLY *Mar 1 00:07:59.527: %PARSER-6-VIEW_CREATED: view 'INTONLY' successfully created.

Now we create an enable pass for this specific view and add the commands we want. Unless specifically configured commands are excluded from the view.

m00nies-router(config-view)#secret INTONLYPASS m00nies-router(config-view)#commands exec include show interface

Now we configure ssh and the aaa config needed.

m00nies-router(config)#exit m00nies-router(config)#ip domain name m00nie.com m00nies-router(config)#crypto key generate rsa m00nies-router(config)#aaa authorization exec default local m00nies-router(config)#aaa authentication login default local enable m00nies-router(config)#aaa authorization exec default local

INTGUY user is restricted to the INTONLY view and test will be out default user for other access.

m00nies-router(config)#username INTGUY view INTONLY password 0 INTGUY m00nies-router(config)#username test password 0 test m00nies-router(config)#^Z

Now from a host we can ssh straight into the INTONLY view using the INTGUY account info. See how all commands apart from show interface fail.

m00nie@linux:~$ ssh INTGUY@m00nies-router


m00nies-router#show parser view
Current view is 'INTONLY'

Exec commands:
<1-99> Session number to resume
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information

m00nies-router#show ?
flash: display information about flash: file system
parser Display parser information
slot0: display information about slot0: file system
slot1: display information about slot1: file system

m00nies-router#show run
% Invalid input detected at '^' marker.

m00nies-router# conf t
% Invalid input detected at '^' marker.
% Invalid input detected at '^' marker.

m00nies-router#show int
FastEthernet0/0 is up, line protocol is up
Hardware is AmdFE, address is cc00.1300.0000 (bia cc00.1300.0000)
Internet address is
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
0 output buffer failures, 0 output buffers swapped out
Loopback0 is up, line protocol is up
Hardware is Loopback
Internet address is
0 output buffer failures, 0 output buffers swapped out

Views can also be made up of multiple views and by reusing other views. These are configured by using the superview command like so

m00nies-router>enable view m00nies-router#conf t m00nies-router(config)#parser view lol superview *Mar 1 01:21:19.643: %PARSER-6-SUPER_VIEW_CREATED: super view 'lol' successfully created. m00nies-router(config-view)#secret lol m00nies-router(config-view)#view INTONLY *Mar 1 01:21:51.635: %PARSER-6-SUPER_VIEW_EDIT_ADD: view INTONLY added to superview lol.

Maybe not quite tacacs+ authorisation but another useful tool to have for some circumstances.

m00nie :)