Setting up AAA authentication for a role
The authorization service verifies that the user is authorized to use commands in the CLI. If your privilege level is higher than or equal to the privilege level of the command, only users with that privilege level can use the command in privilege or role mode (the default). Users with defined roles can use commands if their role allows them. Role inheritance is also used to determine permissions.

Users with roles and permissions are granted permissions using the same mechanism. Six authentication methods are available: Radius, Tacx+, Local, Enable, Line, and None.

If only role-based AAA authentication is enabled, you can use none of the enable, line, and methods. Each of these three methods allows you to grant permissions to users with a password that is not associated with their user ID, or without a password. Because of the lack of security, these methods are not suitable only for role-based mode.

To configure AAA authentication, use the aaa authentication exec command in setup mode. The exec command determines the CLI mode in which the aaa-authorized user will start in the session, such as executable mode or privileged mode execution. For more information about setting up role authentication, see Configuring AAA authentication for a role.

aaa approved implementation { method list name |. Method [...Method 4]
You can further restrict user permissions by using the aaa authentication command in configuration mode.
aaa authentication command {method-list-name |. Method [...Method 4]