As you mentioned, the "Role-Based Access Controls in Data ONTAP™: Granular Administration of Capabilities" doc is a great one.
It explains (with examples) how to implement RBAC.
At the end of the document (page 9), there's a list of all cli- capabilities.
The problem it that this document is now 4+ years old.
I'm sure that, since then, new capabilities have been implemented in DOT.
I was not able to find any up-to-date list of implemented capabilities for DOT 7.2.4 7.2.5 7.2.6 or 7.3.
I would be really interested in a per release exhaustive list of implemented capabilities.
Moreover with such year-2004 capabilities, when for example the cli-aggr-* is granted to a role users with this one assigned he will not only be able to perform "aggr status -r/-s/-f" but also aggr offline/destroy commands.
I want to be more granular than that.
I hope that this is possible with the new capabilities that were probably introduced in DOT since then.
It will be really great if someone already implemented such a role that is limited to "read-only" cli- capabilities.
It would be nice to find that exhaustive list that you are requesting. Funny that no one from NetApp seems to have one. Seems to be the case on a few matters that have come up. Like things are only partially thought through.