is it true aaa authorization command level will only check tacacs server and check only associated with user. using aaa authorization must require the aaa authentication login because that is how acs know how to associate the user and command he/she allowed to execute. in other words by using only aaa authorization will confuse the router. tx for answering :)
AAA authentication is required for authorising a user from tacacs with a certain privilge level.
This can be done in 2 ways.
Define the Shell privilge level for each user in TACACS and have the commands for the that privilege level locally on every device.
Second and the recommended method is use shell authorization sets in TACACS. In this case the privilege level is set to 15 but the command are limited to what you have configured on the shell authorization sets.
Have a look at the attachment
HTH, rate if it does