We are trying to create a custom role in our Portal deployment. By default, we do not want to allow users to share content publicly. This is the security consideration behind our constraint. We will be hosting PHI/PII data.
Our goal would be to have a custom role that can allow users to change ownership of items and share publicly. If a Survey123 survey needed to be deployed off-hours, User A could create and publish the survey. Next, User B could make themselves the owner, and share the survey publicly; finally, User B would re-assign ownership of the items to User A. The GIS Portal admins are not on-call/24-hour available staff.
I believe the above is possible. However, we also have the goal that the custom role that can re-assign ownership of content would not be able to view records for feature layers they do not own.
In our testing, we had to enabled the Administrative privileges > Members > View all and Content > View all to allow the users in this custom role to be able to change ownership. They are also able to see records in feature layers they do no own.
Is what we're trying to accomplish possible? Or are we doing the right thing, and our goal is not possible?
What version of ArcGIS Enterprise?
In the latest release reassigning content ownership is broken up into two privileges; your own content and then other users content. This should be what you are after. Is this what you are testing?
Earlier releases, say 10.9.1, I believe it was all content in one privilege.