Hello! Thanks for your patience in getting this reply. Here are some answers to your questions that I hope you'll find useful!
- What roles can control who can see what rows?
The following roles can control who can see what rows: ArcGIS Online administrators, Publishers (who belong to the site's core team group), and the site/initiative manager (usually the person who created the initiative (and its corresponding site). By default, anyone (including community users) who are added to the initiative’s core team are automatically made “group managers” in the team. So long as they are Publisher or higher, they should have no issue selecting groups for private row access.
- How do I assign/change roles in the Hub or in the community group to members in the community group, but aren't in your organisation?
If you are an ArcGIS Online admin, you can assign/change roles for any member of your ArcGIS Online organization. As you know, community members are housed in another ArcGIS Online organization that's totally separate from your primary org. This is commonly called your community organization or secondary organization. Only people who are community administrators can change the ArcGIS Online roles for community members. We typically recommend that community members have a Publisher role assigned to their account. This role allows them join groups (ie follow an initiative, sign up for an event, become a team member, and create their own content).
The Hub community group – This group is just a group to which all community users are added when they get or create a community account. By default, community users who join a team, sign up for an event, or follow an initiative are added to the team group, event attendees group, followers group, respectively. And likewise, they can view private content shared with just the group, including rows. You can also create additional groups (teams) by adding supporting teams to your initiative and adding the users (community + employees from your primary org) to the group and setting private row access that way.
You may notice the "groups manager" team role inside of a supporting team. You don’t have to worry about this role in terms of setting row access. It just means that anyone elevated to this role within a team has the ability to modify team description and settings; in view supporting teams, they can add other users' content; in view and edit supporting teams they can unshare content owned by any other team members.
Keep in mind that the unique partnership between your main organization and the community organization is secured, so that community members can ONLY access the content available to them through a group. Regardless of their role within the community organization, or a group/team, they have no way to access any content belonging to your main org, unless you explicitly share it with them through a group.
We are working to clarify this in the documentation, and in the meantime, welcome any feedback on this explanation.
Thanks,
Katie