Sometimes need ssh/telnet/api access to router with write policy for a specific reason (e.g. modify address lists). If these accounts compromised, they have full access to the router. A policy with a restricted command set (or maybe only allow execution of predefined scripts) would be helpful.

+1

I fully suppor this request! For a project we have ran into the issue that the customer should have limited access to the router, for example to change the wireless password themselves, but we don't want them to fiddle arround in the firewall (or see the firewall rules at all). For this customer we build a custom application using the API, so being able to create a user group with a specific set of allowed commands would be awesome!