Hi Patricia,
When you say "create a new student", do you mean "Add a new user"? https://docs.moodle.org/37/en/Add_a_new_user
Also, can you clarify what you mean by "create new students on their groups"? "Create new students" sounds like making a user account at the site level (that is, nothing to do with the course). However, in your description, you mentioned it in the context of a course and groups. This makes me think you are talking about some type of enrollment, such as: https://docs.moodle.org/37/en/Manual_enrolment
A bit more information: Adding a new user is controlled by the moodle/user:create capability. I did a test by creating a new Role that could be assigned at the System context, and used "ARCHETYPE: Teacher (non-editing)". If you Allow the moodle/user:create capability, and then assign that role to someone at the system context, then that user can use the Add a new user function. They will see an error after they create a user, but the user will be created correctly.
You can get rid of the error by also allowing the "moodle/user:delete" capability, but then they will have access to the "Browse list of users" page, which is exactly what you do not want.
Some other recommendations:
- I only used the non-editing Teacher archetype as a test. You might want to create the role from scratch, or remove other capabilities from your custom role, so that they cannot do other things that you do not intend (remember, you are assigning this at the System level, so they will have permission to do things across the whole site).
- For the sake of convenience, you may with to also allow the "moodle/site:configview" capability, so that they can see the appropriate menu items in Administration (they will only see the items for which they have permission).
- Since they are working on users, you might also want to look at moodle/user:update moodle/user:editprofile.
Anyway, I hope that is something for you to chew on. It sounds like you have a very specific workflow in mind, and some of these ideas might help you achieve that. Alternatively, if you have any kind of flexibility, you might want to think about where your workflow could be modified, to better reflect some of the ways that capabilities are divided in Moodle. I know that might not sound helpful, but I kindly ask you to consider this: "creating a user" is inherently an action that happens at the platform-level (site-level). Therefore, it is a bit of a challenge to give someone permissions at that level, while also completely blocking them from seeing other accounts at the platform-level. Not to say it is impossible, but I would think that someone who is adding users to a Moodle site, has a good business reason to know basic things about other users on the site.
I wish you luck!