no, it will allow access to the entire cifs family of commands. It is very difficult to create read-only access to the filers. They can view the shares using "computer management" on their workstation and connecting to the filer.
Would love to find some documentation that validates your statement. Best I can find is the following:
"The format for this is cli-* , which means allow all the commands and subcommands. (cli-<command> just means the command and NO subcommands.) "
But then, as you mentioned, just allowing the capability to run the "cifs" command (no other arguments) should effectively do nothing except provide the help output for the cifs command. Yet, I see in the following in the messages file when a user attempts to execute "cifs shares":