[c-nsp] A question about TACACS+ and controlling command use

[Byrd, William]

I've done a lot of thinking and searching on this problem and I haven't
been able to figure out any way to solve it. The rest of the Engineers
here have come to the conclusion it just can't be done.

We have a pretty large deployment of Cisco 7200's with the vast majority
being carded out with PA-MC-2T3 cards. Typically a customer will order a
DS1 or several DS1's which will be delivered MLPPP to the customer.

As we do not currently have any automation tools in place to provision or
remove old provisioning for customers we frequently end up in situations
where a technician building or removing a customer has shutdown a DS3 and
taken down a lot of customers.

The obvious answer is to restrict the use of the shutdown command.
Unfortunately the technicians that often make the mistakes have to be able
to use the command to shut down Serial or Ethernet interfaces in the
course of their work.

As TACACS is setup to basically permit or deny the use of the command I
can't find a way to restrict it on say a T3 controller but permit it for
everything else; example:

        cmd = no
                {
                        permit ^shutdown.<cr>$
                        deny .*

        cmd = shutdown
                {
                        permit .*
                }

Anyone ever deal with a similar problem and find a good solution to it?

-Will