Here is the process that I took.
- Created a new Helpdesk role based off the authenticated users role so that any updates wouldn't necessarily give permissions to something without me knowing
- Went through and turned on "prevent" for everything
- Went back through and turned on "allow" for the specific things I wanted them to be able to do.
My helpdesk role can modify user info, and go into any course to view it without enrolling themselves. They can't modify anything. It just takes a lot of tweaking. Would be nice if I could expert my setup.
If you are afraid of giving a permission the site role at the course level that could effect the frontpage, you are able to restrict that within the frontpage permissions here /admin/roles/permissions.php?contextid=2
For instance if you want to give the ability to reply to forum posts like you stated "answer questions posed by the students" you give that permission to do that for the helpdesk role then go to the frontpage permissions and remove that in case you don't want that there. You can also assign that user at each category level and you won't have to worry about anything on the frontpage or under 'site administration'.
Hope that made sense