I have created a TACACS policy that allows Helpdesk User group from AD to access switches with a shell profile of default privilege 1 and max privilge of 15 and command sets with limited options.

On testing this policy, its giving the user full access on the switch. I am unable to determine whats the cause and how to fix this.

ISE version - 2.4.0.357 and patch - 5,9.

Below is summary of my troubleshooting attempts,

1. I tested for shutdown command and the test user was able to execute it, whereas, according to the command set, he shouldn't have been able to.
2. Then I added a Deny action in command set for shutdown command. Still no luck.
3. I completely changed the command set to default - DenyAllCommands. Still didn't work.
4. Then I left it as it is and focussed on Shell profile. At that time, it was only Max privilege - 15. No success.
5. I created a new one with Default -1 and Max - 15. Still no luck.
6. I then changed the shell profile to DenyAllProfile. Thats when the policy actually worked and login was also not possible. But I want to change it back to original policy but its not working

Switch config : 

aaa authentication login default group tacacs+ local
aaa authentication login DeviceMan group DeviceMan_ISE local enable
aaa authentication dot1x default group ise-group
aaa authorization exec DeviceMan group DeviceMan_ISE local
aaa authorization exec vty local none
aaa authorization network default group ise-group
aaa authorization commands 15 DeviceMan group DeviceMan_ISE local none
aaa authorization auth-proxy default group ise-group
aaa authorization config-commands
aaa accounting auth-proxy default start-stop group ise-group
aaa accounting dot1x default start-stop group ise-group
aaa accounting update periodic 5

Can anyone please assist me finding the rootcause of this issue and a possible solution ?

Thanks in advance!

Update: Added Switch config