Hi
On the ACS side, the config you choose very much depends on the scale of your deployment.
If you have one or two users, you can define per-user command authorisation within ACS.
If you have many users, you should do this at group level.
Moving on, if you have many devices you can look at creating pixshell command sets and grouping the devices into Network Device Groups (NDGs). Within each group you then map from NDGs to command sets.
This gives the functionality of an RBAC (Role Based Access Control) server. Where a member of a group has a certain role with associated rights based on what NDG being configured.
You may also want to use NARs to prevent certain admins even being able to logon to the device.
So the first job is to scope your deployment and figure out what level of config (and hence complexity) is required in ACS.
Then get a copy of extraxi aaa-reports! to audit your ACS logs :)
Darran