thank you for your post, that helped me in this annoying problem of enrol cohort.
After I read your guideline, I tried a simpler way, and I found this way (it is a subset of what you suggest)
1. Log into Moodle as a site admin
2. Go to Site administration - Users - Permissions - Define Role
3. Click the icon to the right of the "course creator" role in order to modify it. In my school, every course creator must enrol his students in his own course.
4. Set Context types where this role may be assigned = "System" & "Category". Likely, it is already ok.
5. Set the change default permissions as follows:
- Role assignments synchronised to course enrolment enrol/category:synchronised = allow
- Configure cohort instances enrol/cohort:config = allow
- Configure enrol instances in courses moodle/course:enrolconfig = allow
- View site-wide cohorts moodle/cohort:view = allow
Actually I'm using moodle 2.5, and I need only these four settings to permit the teacher the enrolment by cohort.