I know that 4.2 is pretty old but it could be relevant in future versions with 5.3 and ISE.  I dont know. 

Topic:  Implementing (permitting) subcommands under an Authorization Set.

This was somehwat difficult for me to get working for the final step that I wanted.  That was to Allow FastEthernet interfaces to be allowed by the help desk and deny GigabitEthernet.  Reasoning being is all Gigabit ports are reserved for trunking.

How I was able to solve this issue.

SWITCH

Previous AAA settings on 3750 switch

aaa new-model

aaa group server tacacs+ CSACS

aaa authentication login default group CSACS local

aaa authentication enable default group CSACS enable

aaa authorization exec default group CSACS local

aaa authorization commands 15 default group CSACS local

aaa accounting commands 15 default start-stop group CSACS

aaa session-id common

Added command on switch

aaa authorization config-commands

     This allows you to specify individual commands (to my understanding).

ACS

Shell Command Authorization Set

If you want to allow fastethernet and deny gigabitethernet then do the following

COMMAND

interface

ARGUMENT

permit FasEthernet  (case-sensitive!!!!!!)

To allow switchport commands: switchport mode access and switchport access vlan denying explicitly switchport mode trunk.

COMMAND

switchport

ARGUMENT

deny mode trunk

permit mode access

permit access  vlan

Items to consider:

1. User settings trump group settings so if you give someone priviledge level 15 in their user settings instead of following group settings then they have acess to everything.)

2. shell exec needs to be turned on for user and group

3. The five ITEMS in 4.2 that you need to look at.

User Setup

Advanced TACACS+ Settings

TACACS+ Enable Password

Shell (exec)  (RIGHT ABOVE ---->  Shell Command Authorization Set)

Shell Command Authorization Set

Good luck.