The default privilege 15 is a superuser account, however you can change the default behaviour. In this example I will create a username that has privilege 4 access.
ciscoasa(config)# username adminreader password 121278 privilege 4 ciscoasa(config)# privilege show level 4 command running-config ciscoasa(config)# privilege show level 4 command access-list ciscoasa(config)# privilege show level 4 command conn
Then I will need to use aaa commands to tell where to locate the privilege.
aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authentication enable console LOCAL aaa authorization command LOCAL aaa local authentication attempts max-fail 5
When a user attempts to ssh, the cisco asa will check the local database for the authentication information.
When a user attempts to login to asdm the cisco asa will check the local database for the authentication information.
When a user attempts to go to privilege exec mode, the cisco asa will check the local database for the authentication information.
After authenticated the cisco asa will check the local database to find out what commands can be executed by the authenticated user.
The maximum fail login rate is 5 times, if this is exceeded the user will be locked.
Here’s the command to unlock user account.
clear aaa local user all clears all username locked status.
clear aaa local user username adminreader clears username adminreader’s locked status.
cyruslab 
Hi Cyrus,
The default privilege (meaning: when you issue command “username xxx password yyy” without specifying the privilege option) is not 15 (but privilege 2) on ASA.
Cheers,
Costi
Hi Costi! Thanks for the tip! What I meant was the default privilege for privilege 15 is super user.
I think:
adding running config gives access to all commands
i tested it and was not restricted, changed hostname added routes etc
Hi Nick:
I added the command “privilege show level 6 mode exec command running-config” and i can still see that i am not able to neither use show crashinfo nor conf t commands and it displays ERROR: Command authorization failed. Maybe you have a problem in your configuration.
Regards,
Moustafa
you need to verify that this command is there as well , else it wont work
aaa authorization exec authentication-server auto-enable
you need to make sure this command is also being run , else it wont work
aaa authorization exec authentication-server auto-enable