Thanks for the replies.
@Colin: What would happen if the ssh user was granted read-only priviliges via CPPM VSA? Would they also be dumped into the enabled level if enable bypass is, um, enabled? On the same vein, it appears a read-only user who connects via ssh can type enable and if they know the password they will be elevated. Is that correct? I would have almost expected the enable command to be denied for read-only users..
@Tim: All in good time re: TACACS+. The service isn't enabled yet on CPPM though that may well happen soon for other network devices. Because the controllers do not make use of any returned attributes from a TACACS+ server I saw no reason to jump start the service on CPPM at this time. We're going from a local mgmt user to radius authn on the controllers so that's progress.