On your router:
enable: aaa authentication enable group tacacs+ none
In ACS, User Setup>>Advanced TACACS+ settings, configure a privilege level for a particular device group. If your Advanced TACACS+ settings aren't visible, then enable them under Interface Configuration.
i.e. Under TACACS+ Enable Control, select Define max privilege on a per NDG basis.
Then add an association to a NDG and a privilege level.
Here's a catch though. If, on your router, you have both enabled both:
aaa authorization exec
and
aaa authentication enable,
then your user who is given shell access and priv 15 bypasses any enable authentication and also, therefore, bypasses all your TACACS+ Enable control restrictions which you just setup. So, in this case, you need to use enable authentication to control access to privilege levels, rather than aaa authorization.
For documentation reference, just look in your embedded ACS documentation under "Advanced TACACS+ Settings"
Good luck,
Jeff