For my university, we needed to have tutors who could monitor the progress of particular groups of students in a course, but were not able to view data about other students.
In order to meet this need, I created a role based on the Student archetype to which I gave permissions to "View grades of other users" (Allow). However, I set the role to have "access all groups" set to Prohibit. Regarding forums, I left most permissions set to the defaults, except any about creating or responding to posts, which I switched from Allow to Not Set, since the tutors shouldn't have permission to participate in the course, only view their students' records.
Once I set these permissions, I assigned the tutors the newly-defined role in the appropriate courses, and created the groups accordingly. I also modified the course to have "Separate groups" and set the group activity setting to "Force". However, on testing, I discovered that the tutors were able to view forum posts from all users, not just ones in their group.
Could this be because the forum posts were made prior to the groups being created, or is there something else I'm missing? Is there another permission I need to change to ensure that the tutors can only view the forum posts from students in their group?