While messing with role-based CLI I tried to limit user access to configuring only a single type of routing protocol (i.e. BGP). But unfortunately with no success: it seems either unsupported or bugged in my version of IOU (15.4(1)T).
R4(config)#parser view TEST
R4(config-view)#commands configure include all router bgp
R4(config-view)#commands exec include configure terminal
R4(config-view)#commands exec include configure
R4(config-view)#do sh runn | s TEST
parser view TEST
secret 5 $1$JUig$9W982IoexX/cDC5/oJ6lp.
commands configure include router
commands exec include configure terminal
commands exec include configure
'bgp' part is disappearing (either with or without 'all' keyword). As a result the correspnding user is getting access to configuring ANY routing protocol.
Just for note, restricting access on per interface basis (i.e. Ethernet0/0 only) is working fine.
Does anybody have experience with this staff?