I know this is a common topic - but I can not figure out what the real intention of the design is here. My user groups are basically like this.. - unregistered - registered - special promotion groups - some restricted access groups (penalty box, limited access, etc) All users are members of registered, and I add them to special promotion groups when those users pick-up new permissions to other nodes. The user groups are setup so that registered users are granted the baseline permissions all users would expect.. posting, viewing, etc. Normally I would expect to make the permission changes at the node level. Normally I'd like to treat all forums as the default level.. and either remove some permissions or grant new ones based on the groups. My problem is because all users are members of 'registered users' - I have a very hard time making the forums how I need. Specifically if I want to make a forum specific to only a certain group - I must mark it 'Private' and then give specific permissions to the group in question. That works if I want ONLY that group to have permissions. But if I want a forum everyone has the ability to read.. but only certain users to post.. I can't make it work out. My default is to have a special access group, and grant them permissions via 'allow' on the node to that user group. But because I want to reduce the permissions of the general population, I use 'revoke' on the posting permissions of the group 'registered users'. I change the permissions on the node for the special access group to 'allow' for posting permissions. But because everyone is a member of 'registered users', even the special access users, the revoke on 'registered users' overrides the 'allow' permission granted by the special access group If posting permissions are granted to 'registered users' - a group everyone is a member of.. how can I remove that permission while NOT removing it for everyone? Either groups shouldn't be layered.. which obviously isn't the design given primary and secondary groups.. or Permissions really shouldn't be granted to user groups like 'registered users'. Can someone please paint a picture of how this should be setup?