How did you come about matching "vsys" with remote and "privilege" with remote when it looks to me that "tacplus_user" is the login user that has the class permissions associated.
What we did in ACS4.2 was local-user-name = Engineer and on the JUNOS platform we had: system login user Engineer class Engineer system login class Engineer permissions all
Additionally, we had a read-only account which referenced a class with view and view-configuration. But on the ACS profile we identified allow-commands and deny-commands within the custom attribute field.
In my case, unfortunately I am dealing with another group as I don't control my ACS appliance. I really need a step by step path to do this.