On my ACS SE 4.2 setup I have CMD Authorization set up and it works nice, Service Desk type cmds: show, clear, telnet, traceroute, exit and then another group with full access (all cmds permitted). both user groups have Priv. Levels = 15.
However, (there is always one) with SDM access via HTTPS it appears that all you need is Priv. Level 15 to run SDM and make any configuration changes.
With my current setup, a user in the NetDevOper group when Telnet'ed or SSH'ed has access to a few commands, i.e. clear crypto sessions.
If I change this group from Priv Level 15 to, say 14, then I will have to 'Demote' the Clear command to Priv Level 14 on each device so this group can do simple clear commands.
My other choice is to disable HTTP access altogether, which is what I am leaning towards.
Is there another option available?