Would love to find some documentation that validates your statement. Best I can find is the following:
"The format for this is cli-* , which means allow all the commands and subcommands. (cli-<command> just means the command and NO subcommands.) "
But then, as you mentioned, just allowing the capability to run the "cifs" command (no other arguments) should effectively do nothing except provide the help output for the cifs command. Yet, I see in the following in the messages file when a user attempts to execute "cifs shares":
"User 'testuser' denied access - missing required capability: 'cli-cifs'"