One of my readers asked an interesting question: „why do the commands executed within a EEM Tcl policy fail with Command authorization fails message?“ The short answer is simple: If you use AAA command authorization (which you can only do if you're using a TACACS+ server), you have to specify the username under which the EEM will execute its CLI commands with the event manager session cli username user configuration command.
Note: This is only required if you use TACACS+ server, as the command authorization cannot be performed in AAA environments using RADIUS servers.
For those of you who want to know more, here's the in-depth explanation:
The EEM applets or Tcl policies do not execute in the context of a line (physical or virtual terminal interface), it's therefore impossible to execute CLI commands directly from the EEM policies (contrary to what you can do in Tcl shell with exec command). To execute CLI commands, you have to open a quasi-telnet session with the cli_open call and send and receive characters with the cli_exec call or a combination of cli_write/cli_read* calls. The same approach is used for the commands executed with the action cli commands within EEM applets, the only difference being that you cannot process the output generated by the CLI commands in the EEM applet.
The commands executed by an EEM applet or Tcl policy undergo all the security checks usually performed by a router (they are no different from commands typed in by an operator using a telnet session, only the authentication process is skipped). If you have configured AAA command authorization, the router sends AAA request to the TACACS+ server for every command the EEM applet tries to execute ... and the authorization requests fail if there is no username included in the request. As the login process is skipped, you have to set the desired username manually with the event manager session cli username user configuration command.