When dealing with privileges, many administrators only make use of Cisco IOS's two default privilege levels: user mode and privileged mode. However, as you're no doubt aware, one of the most important security best practices is to follow the principle of least privilege, meaning that you give users the permissions they need and no more. Cisco helps you to do this by letting you define up to 16 different privilege levels, including user mode (level 1), up to the highest mode (privileged mode, which is level 15). You may wonder how they get 16 levels if the levels start at 1 and the highest is 15. It's because Cisco also allows you to set up a level 0.
Although Cisco gives you all these levels, it doesn't predefine what they mean. So to make use of them, you have to define what users at each level can actually do. Typically you use the "privilege" command to accomplish this. For example, the following line sets the privilege "configure terminal" as one of the commands that users at level 5 and above can use in exec mode:
privilege exec level 5 configure terminal
Of course, issuing a separate "privilege" statement for every single command you want to activate can get quite tedious. That's where Cisco's enhanced privilege settings come in. Starting with Cisco IOS Release 12.2(13) T, you can use the optional "all" keyword before "level" to indicate that you want to enable all commands that begin with a certain string. For instance, the following command sets the privilege for all commands beginning "snmp" as being one of the commands users at level 5 and above can use in configure mode:
privilege configure level 5 snmp