I'm configuring several switches and routers for TACACS with ACS SE. I have a need to do three levels of access, the groups are as follows:
1. Normal read-only access.
2. Full access with the exception of config t.
3. Full access.
What would be the best way to achieve this goal, I can see that if I create Shell Command Authorization sets on the ACS, I can configure one for group 1 and one for group 3. But will I be able to for Group 2? Is there a way to allow all, but explicitly block one command? Following this page: http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml leads me to believe that the capability may exist, but I have no way to confirm at the moment.