Authorization works transparently in candidate edit mode, and no unique or new local profile or TACACS+ permissions rules are required other than allowing access to the candidate branch. For example, if a user has permission to access the configure filter context, they automatically have access to the same context when in candidate edit mode.
The candidate load and save commands load and save only those items that the user is authorized to access.
The candidate view command only displays the items that the user is authorized to access.
The candidate editing commands (such as adding or removing lines) only allow the user to modify items that they are authorized to access.
The candidate commit and discard commands, along with the admin>rollback> revert command, impact all items in the candidate configuration and are not affected by authorization.