Control privilege level on Clearpass for Cisco gear. Sec team need RO access to review configs but I REALLY don't want to device side changes to my entire enterrprise and I CANNOT make a new local login. Must be AAA. Ideas?

I am trying to limit a login for our security team that will not require any device config changes and utilize Clearpass to manage the access. I messed with setting a priv-lvl in my enforcement policy but anything other than 15 won't even pass enable mode. Has anyone been able to restrict access or command auth to only "sho run" without any device-side changes? That's a few thousand changes I'd rather not have to do, but my sec team needs a "read-only" for our network gear. Yes, I know that RO isn't a router thing, especially in older IOS like 6500's, but I need to provide something. Any idea's?