Configure AAA on R4 to use the TACACS+ server.
Configure authentication, EXEC authorization, and command-level 1/10/15 authorization.
Move the show running-config command to level 10 for user1 to be able to invoke it.
Configure fallback to local in the event the AAA server goes down.
Make sure you use a named method list and apply it to vty lines. Do not configure any authentication or authorization for console or auxiliary ports, or you will lose all marks.
Use the following example to configure all of the above.
aaa new-model aaa authentication login vtyline group tacacs+ local aaa authentication login con-none none aaa authorization exec vtyexec group tacacs+ local aaa authorization exec conexec none aaa ...