A while ago I've tried setting up different authorisation levels on a Cisco router with privilege levels. It failed miserably because this is badly documented by Cisco and the amount of effort needed to get something useful out of it was too much. The main problem is the hierarchical privilege structure of commands and the somewhat illogical relation between these commands (enable write privileges to allow read privilege....).
