AAA Authorization question

I'm going over CCNA Sec. topics in the Cisco Press book and I seem to be kind of stuck on the Authorization process of AAA. I understand the function of the process is to grant certain levels of security but I'm not to sure how it works. Take this command for example:

aaa authoraization commands 15 default local

According to the book, the local user database is used to authorize the use of all level 15 commands for the default method list.



Well, when you create users in the local dbase, you have the option of assigning access levels 1-15. Isnt that already authorization?

Also, according to the books explaination, the authorization is placed on the method list. What's the point of authorizing a list? The user accounts should be authorized, not the list, right??

I'm soooo confused on this..

The enable password is just that, enable to a certain level. Command aaa authorization commands 15 <options> is to authorize each and every command entered by the user. Using the local database to authorize a command could be done by RBAC (parser view, ect..). IMO TACACS+ would be a much easier way to do this. Even if the user is priv 15 authorization can be set for the commands allowed/denied. Example here has a user as priv 15 and copy command denied, show command allowed from TACACS+.

SPOKE_901#sh privilege
Current privilege level is 15

> Command on router:

aaa authorization commands 15 default group tacacs+ local

SPOKE_901#copy run start
Command authorization failed.

SPOKE_901#show run
Building configuration...

Current configuration : 11483 bytes
!
! Last configuration change at 03:10:32 EST Sun Feb 21 2010 by cust
! NVRAM config last updated at 03:09:52 EST Sun Feb 21 2010 by cust
!
version 15.0
<truncated>

TACACS+ server config:
user = cust {
service = exec {
}
member = 15
login = cleartext XXXXX
cmd = copy {
deny .*
}
cmd = delete {
deny .*
}
cmd = show {
permit .*
}

}

As far as I know vty lines, con 0, ect can be tied to AAA lists. The config above uses default but could have easily been changed to a named list and tied to a line.

So what your saying is that authorization is used for applying authorization settings on commands, network, exec, etc. Not for a user? I know that RBAC could do so; That's why I questioned the use of authorization in AAA.

I think I may have made this stuff harder than it really is. Now that I think about it, like you said, there's really not much you can do setting up a list to authorize with the local dbase, right? If you use a radius or tacacs+ server, there are more options in authorization.

Am I getting warmer? I'm really just trying to get the basics.

TACACS+ can do authorization, radius can not. Someone else could probobly comment in more depth but as far as I know without using a TACACS+ server the local method is limited to priv levels and parser views (not really AAA stuff in my opinion). TACACS+ has a lot of attributes to customize groups or down to a single user for what is authorized/not authorized.