TACACS+ command authorization operates in one of three ways:
all users who authenticate via TACACS+ can use a single common default command authorization profile that is configured on the SR OS
each command attempted by a user is sent to the TACACS+ server for authorization
operator can configure local profiles and map tacplus priv-lvl based authorization to those profiles (the use-priv-lvl option)
To use a single common default command authorization profile to control command authorization for TACACS+ users, the operator must enable the tacplus use-default-template option and configure the parameters in the user-template tacplus_default to point to a valid local profile. The tacplus authorization command must also be disabled.
If the default template is not being used for TACACS+ authorization and the tacplus authorization command is enabled without the use-priv-lvl, then each CLI command issued by an operator is sent to the TACACS+ server for authorization. The authorization request sent by the SR OS contains the first word of the CLI command as the value for the TACACS+ cmd and all following words become a cmd-arg. Quoted values are expanded so that the quotation marks are stripped off and the enclosed value are seen as one cmd or cmd-arg.
When the use-priv-lvl option is used, the router maps the priv-lvl returned by the TACACS+ server to a local profile as configured under the priv-lvl-map. Command authorization then uses the local profile. If the TACACS+ server does not return a priv-lvl, and the tacplus use-default-template command is enabled, then the router uses the local profile in the user-template tacplus_default for command authorization.