TACACS+ authorization overview
Upon successful user authentication, the user is identified as having an Administrator, Operator, or Auditor role.
At a minimum, TACACS+ authorization provides the following:
Administrators are given access to every command.
Operators are given access to only nonconfiguration commands (primarily
show
commands and only for nonsensitive information).Auditors are given access to a select few commands of interest to those doing auditing.
Optionally, TACACS+ authorization provides further filtering to allow/disallow individual command or command set execution. Each command is sent to the TACACS+ server for approval, and the switch then allows/disallows command execution according to the server response.
TACACS+ authorization applies only to the CLI interface.