Control vro access permission level

Cisco Ios provides 16 different user permissions ranging from 0 to 15. By default, only two of the different levels of permissions are used: EXEC (level 1 permission) and privileged EXEC (Level 15 permission ).
In a large network environment, you can set different levels of permissions to be assigned to different administrators.
 
1. Set different access permissions:
Router (config) # privilegeMode[All] {levelLevel| Reset}Command_string
Eg:
Router (config) # privilege exec level 7 show
 
2. Set passwords for different permission levels:
Router (config) # enable secret levelLevel _ # password
Eg:
Router (config) # enable secret level 7 cisco
 
Modify the default permission level:
Router (config-line) # privilege levelLevel
Eg:
Router (config-line) # privilege level 7
Router #
Router # show privilege
Current privilege level is 7
 
Log On with different permissions:
Router> enable level _#
Eg:
Router> enable 7
Password:
Router #
 
Verification permission level:
Router # show privilege
Current privilege level is 7
 
Create different levels of permissions for different user names:

Router(config)# username user's_name [privilege #]{secret | password} password

Eg:
Router (config) # username lst privilege 7 secret cisco
 
Use the local Authentication database on the access interface:
Eg:
Router (config) # line con 0
Router (config-line) # login local ------ before using login local, you should confirm that the system has established a password and user name for Logon. Otherwise, you will not be able to log on after exiting the vro, we recommend that you first set up vty access permissions to prevent the vrocon con from being locked before logon.
Router (config-line) # exit
 
Router (config) # line aux 0
Router (config-line) # login local
Router (config-line) # exit
 
Router (config) # line vty 0 4
Router (config-line) # login local
 
Router (config) # privilege exec level 7 show
Router (config) # username lst1 privilege 7 secret cisco
 
Username:
Username: lst1
Password:
Router # show privilege
Current privilege level is 7
Router # config ter
^ % Invalid input detected at '^' marker.
Router # enable 15
Password:
Router # show privilege
Current privilege level is 15
 

Privilege Modes
Command	Description
Configure	Global configuration mode
Controller	Controller subconfiguration mode
Crypto-map	Crypto map subconfiguration mode, used for VPN configurations
Crypto-transform	Crypto map transform set subconfiguration mode, used for VPN configurations
Exec	EXEC mode
Interface	Interface subconfiguration mode
Interface-dlci	Frame Relay Interface DLCI subconfiguration mode
Ipenacl	IP named extended ACL subconfiguration mode
Ipsnacl	IP named standard ACL subconfiguration mode
Line	Line subconfiguration mode
Map-class	Map class subconfiguration mode
Map-list	Map list subconfiguration mode
Preauth	AAA preauthorization definitions
Route-map	Router map subconfiguration mode
Router	Router subconfiguration mode
Sg-radius	RADIUS server group
Sg-tacacs +	TACACS + server group
Subscriber-policy	Subscriber policy subconfiguration mode
Tcl	TCL subconfiguration mode
Template	Template subconfiguration mode
Translation-rule	Translation rule subconfiguration mode
Vpdn-group	VPDN remote access subconfiguration mode

 
From Guang and Ying blogs