You can try the following:
Assign the show commands and Config commands to a privilege level.
Create an AD group for your Helpdesk staff
Assign the configured privilege level (eg Privilege 5) to the AD group with your TACACS
They should then only have access via TACACS to those commands specified.
HTH