By default cisco routers will come with scp file transfers disabled. Though they are easy enough to enable so that you can download / upload configurations to them using ssh / scp. Which is useful for doing backup's of router config files. In particular a lot of routers automatically.

The first part of the problem requires that you enable enough privalages to be able to access scp from a particular user. Normally there is a configuration line that looks like 'aaa authentication login default local' or like 'aaa authentication login default group radius local' if you are using radius authentication. You will need to add the exec permission to the same group.

you can do this with the following command

aaa authorization exec default  local

Or if using radius

aaa authorization exec default group radius local

Then you need to also enable the scp service which you can do with the following

ip scp server enable

At this stage you should now be able to scp the config file. From linux I would use the following 'scp <routerip>:startup-config mybackupfile