You can modify the default aaa_init.xml with the following changes:
Add a cmdrule for the <rule-list> named admin as follows:
<cmdrule xmlns="http://tail-f.com/yang/acm">
<name>command-access</name>
<command>*</command>
<action>permit</action>
</cmdrule>
Add a cmdrule for the <rule-list> named any-group as follows:
<cmdrule xmlns="http://tail-f.com/yang/acm">
<name>config-access</name>
<command>config</command>
<action>deny</action>
</cmdrule>
