I know that 4.2 is pretty old but it could be relevant in future versions with 5.3 and ISE. I dont know.
Topic: Implementing (permitting) subcommands under an Authorization Set.
This was somehwat difficult for me to get working for the final step that I wanted. That was to Allow FastEthernet interfaces to be allowed by the help desk and deny GigabitEthernet. Reasoning being is all Gigabit ports are reserved for trunking.
How I was able to solve this issue.
Previous AAA settings on 3750 switch
aaa group server tacacs+ CSACS
aaa authentication login default group CSACS local
aaa authentication enable default group CSACS enable
aaa authorization exec default group CSACS local
aaa authorization commands 15 default group CSACS local
aaa accounting commands 15 default start-stop group CSACS
aaa session-id common
Added command on switch
aaa authorization config-commands
This allows you to specify individual commands (to my understanding).
Shell Command Authorization Set
If you want to allow fastethernet and deny gigabitethernet then do the following
permit FasEthernet (case-sensitive!!!!!!)
To allow switchport commands: switchport mode access and switchport access vlan denying explicitly switchport mode trunk.
deny mode trunk
permit mode access
permit access vlan
Items to consider:
1. User settings trump group settings so if you give someone priviledge level 15 in their user settings instead of following group settings then they have acess to everything.)
2. shell exec needs to be turned on for user and group
3. The five ITEMS in 4.2 that you need to look at.