Setting up access to a device in TACACS+...
When it's in a group that already existed, access is fine.
When it's moved to a new group, nobody can get to it: the accounts authenticate in TACACS+, but they get hit with "default rule" and denied access.
Put the device back in the group that existed before the object was added, and access is fine again.
This has happened with multiple devices and multiple new groups. Our workaround is to keep the devices in the old groups and then make one-off rules that filter by IP address.