For the first requirement, you can store the IDs of the forms each user is allowed to view and send that as a principal attribute. Then you can have a rule that checks that list to ensure that the form they are trying to view is in it.
The groups a user belongs to would be another principal attribute as well. Because Cerbos is stateless, every time you make a request, you have to send the attributes anyway. Therefore, any changes you make in the UI will be immediately visible to Cerbos.