I created a vfiler for one of our customers to use as a CIFS server. The customer should be able to administer CIFS by himself over the MMC.
I created a group CIFSAdmins and attached the a new role with the following capabilities: api-cifs-list-*,api-cifs-session-*,api-cifs-share-*,api-quota-*,api-cifs-homedir-*
The strange issue is that with this capabilities an ACCESS DENIED message is displayed on shares. For testing purposes I added the customer to the power user group, everything works fine but the customer is still able to change the members of the local groups. The default capabilities for the power user group is