this is exact what i try to avoid send task groups from central authorization server ( Tacacs+ in my case ) will be more good you don't have to change configuration in devices when you need to change group role