RADIUS and TACACS are standard protocols so you can find the respective protocol behavior and attribute definitions in RFCs like RFC-8907 The Terminal Access Controller Access-Control System Plus (TACACS+) Protocol which says

authen_service
      This is the service that is requesting the authentication.
      Valid values are:
      TAC_PLUS_AUTHEN_SVC_NONE := 0x00
      TAC_PLUS_AUTHEN_SVC_LOGIN := 0x01
      TAC_PLUS_AUTHEN_SVC_ENABLE := 0x02
      TAC_PLUS_AUTHEN_SVC_PPP := 0x03
      TAC_PLUS_AUTHEN_SVC_PT := 0x05
      TAC_PLUS_AUTHEN_SVC_RCMD := 0x06
      TAC_PLUS_AUTHEN_SVC_X25 := 0x07
      TAC_PLUS_AUTHEN_SVC_NASI := 0x08
      TAC_PLUS_AUTHEN_SVC_FWPROXY := 0x09

      ...

      The TAC_PLUS_AUTHEN_SVC_LOGIN option indicates regular login (as
      opposed to ENABLE) to a client device.

      The TAC_PLUS_AUTHEN_SVC_ENABLE option identifies the ENABLE
      authen_service, which refers to a service requesting
      authentication in order to grant the user different privileges.
      This is comparable to the Unix "su(1)" command, which substitutes
      the current user's identity with another.  An authen_service value
      of NONE is only to be used when none of the other authen_service
      values are appropriate.  ENABLE may be requested independently; no
      requirements for previous authentications or authorizations are
      imposed by the protocol.

You will see that these Service options match what is in the ISE Device Admin Policy Set Authorization Rule attributes one-for-one :

So to answer your question, it's basically the CLI privilege level being requested: > or #