It actually means that if you can get into global config, all commands will be automatically allowed, and the TACACS server will not be checked. By default only exec commands (show, clear, config t, etc.) are checked for command authorization. The idea is that if you want the user to be able to get to global config, you probably want them to be able to do whatever they want. If not you need to turn config-commands authorization on and then specify what they can or can't do.