[j-nsp] Using TACACS to prevent deactivate/activate statements?

[Brian Pavane]

All,

I am currently working on a security profile, that requires me to 
prohibit certain deactivate/activate commands to be issued by a certain 
class of users.  I am looking to add this to my current TACACS 
configuration (tac_plus), however I have been unable as of yet to get 
the router to properly authorize these commands.

 From what I can tell, these need to be placed in the "deny-commands" 
section rather than the "deny-configuration" section of TACACS... but I 
may be wrong (I've tried both).

Has anyone done this in the past?  If so, could you share this portion 
of your tacacs.conf?

Thank you.

-Brian