1 - Create a specialized administrative role for each company and permission it only for their classes.
2 - Disable visibility to the full list of students across all companies
3 - Create an external application that company admins can use to manage their users. This is an extremely difficult thing to do. Indeed, it might be doable with mods of the administrative code that limited visibility based on the users. Either way, the institution field is probably the key to distinguishing users.
The key problem, of course, is that is that point 2 is incompatible with limiting company admins visibility to users from other companies without a code modification that only allows them to see users from specific institutions.
Once that's done the patches you need should be limited to the administrative modules directly related to users, including all the modules associated with users/accounts and, within classes, role and group assignments. That shouldn't be huge.
So long as you can create a single administrative role that is limited to managing users within their institution and have confirmed that the the user list is limited to their institution, things should be pretty clean.
This isn't nearly as hard as I thought it might be up front.
If you force separate groups on all of your courses and use Site-Wide Groups you could accomplish this very thing and you could only use one set of courses. You would need to throttle down some of the role settings for directors and turn of Messaging to keep things completely "clean".
You said your deadline was the end of the year, so I'm assuming you already implemented something. How did you go about it?
Martin, where's the best place for me to submit my thoughts on this. We use groups like crazy so I have some very strong feelings about this. I read through the link you posted, which gave me even stronger feelings about the right and wrong ways to do this, but I'm not sure where to put my input.
Thanks. Added my own thoughts as Design 4.
I would hate to see cohorts added because it sounds like they would be quite complex to implement (and administrate) and suck up a lot of resources that need to be directed at perfecting and polishing groups and groupings.
"The action you have requested is limited to users in the group user. You can view and copy the source of this page:"
Not sure what happened, but I can't add anything…