The network consists of 2950s cored to two 6513s. TACACS would be applied via the "aaa" command. We want someone to be able to use LMS to change vlans, for example, on a selected group of switches using their TACACS userid and pw, so that the changes made on the switches is tracable to that someone.

You can do that using the job based password feature of LMS. With this, the user executing the job provides their username and password for that job only. That way, AAA logs will reflect that user as being the one that performed the config changes.

In this configuration, the best solution would be to enforce job-based passwords using RME > Admin > Config Mgmt > Config Job Policies. Make the Job Passwords mandatory by unchecking the User Configurable checkbox. Then, all config changes must specify per-job credentials.

Thanks, sounds like that will work for the LMS user, but don't I still have to configure LMS with a TACACS id and pw before it can access the switches?

You will still need to enter TACACS credentials in the DCR so that the various applications can access the devices.

No, you don't HAVE to. RME (and other LMS apps) can certain use SNMP to perform all necessary operations. However, if you want to use telnet/SSH for configuration fetches in RME, you will need to populate DCR with a username and password.