Cumulative permissions as detailed in Brogan guide really is the way to go. I find this system so much easier than what I did on phpBB.
Maybe you could give an overview of how your groups are set up? Someone could then give a solution on how to set up with cumulative permissions.
I have the basic groups, and I've created 4 more. I have moderators, admins, and super admins.
Moderators cannot change user groups or access ACP, but they can ban users.
Admins and super admins can access ACP, but admins don't have permission accessing options and all the dev stuff just the user tab.
Aside from that, I have users that I'm doing consultations for them, and it's taking place in a node, designed only for that. They can see their own threads (each one of them), and staff is replying there (assigned staff. If X from our staff was assigned to B customer, this staff member can't see customer's C thread (different customer, different staff member).
We also have "honor" users, that have more privileges based on registered users group. Can tag more people, send unlimited PC, etc`. They can also access a "draft node" that nobody except staff can. They get all the articles [in their pre-final state] before anybody else.
I also have a group that puts all the people that finished consultation (automatically) in this specific group that gives them the ability to view their thread but they can't reply or open a new one (and of course, they can't see any other threads except for their own).
That's it pretty much.