You might have a remote location or support personnel who needs read only access to your router. You can decrypt the encrypted passwords (simple encryption only, passwords decrypted with secret are hard to decrypt) in the show run. But what if you want to eliminate the possibility of them doing that. How would you do that?
Though the best way is to implement a secure access server like TACACS but what if the customer doesn't always require it. You can use a local database created on the router itself. Once you create the database set privilege levels (anything other than 15) for different users and specify commands, which they can run. This will allow them to execute those commands only. Here's a sample configuration that can help you in that.
username user1 privilege 2 pass test1
username user2 privilege 12 pass test2
username user3 privilege 15 pass test#
privilege exec level 2 ping
privilege exec level 12 show run
privilege exec level 12 show ip route
line vty 0 4
exec-timeout 30 0
Here the user user1 can do ping only and user user2 will be able to run show runn, show ip route and ping. User user3 is free to do do anything and has full rights.