The difference between the CommandExecute policy versus AutoSysCommandISponsorFilters.txt is that when you adapt the AutoSysCommandISponsorFilters.txt file that this counts for everyone.
When using CommandExecute policy you can restrict commands and also to certain users.
For example if you want to allow user 'user1' to execute 'autoflags -a' command and also 'autorep -J' but no other commands.
This can be done by specifying following resource in the CommandExecute policy.
server/ACE/autorep -J [^;]+$
Select 'Execute' as action'.
Turn on the flag 'Treat resource names as regular expressions'.
If you specify
then all options of autorep are allowed.