Hi @Pirate-Jesse . I’ve been experimenting with the Organiser role in Action Network recently and I think I can clarify a little about how the organiser role works.
An Organiser can create events but they can only email people who’ve RSVP’d if the organiser is listed as the creator of the event. This means that the organiser’s name would be shown on the event page (like shown here):
And whenever someone RSVPs, their details get added to the organiser’s personal list in Action Network as well as to the XR group’s list. Hence the person’s details get ‘leaked’ outside the XR Action Network group. If the organiser later left XR, they would still retain access to the personal info of everyone who RSVP’d.
It is possible to create an event without a ‘creator’ (see here on Mattermost), but in that case, the organiser won’t be able to email RSVPers.
Step 2 of the draft access policy involves the event host being added as an Organiser. So the Action Network access policy as currently worded would either result in rebels’ details leaking outside XR, or else wouldn’t achieve the aim of untrusted event hosts being able to email people who’ve RSVPd to their events.
I think we can achieve what’s needed by adding the untrusted event host as an Administrator of the new Action Network group instead of an Organiser, but only with permission to send emails:
The event host could then create events and email people who’ve RSVPd to events. They will be able to see the details of people who’ve RSVP’d to events but not of people who haven’t RSVPd. (I’ve tested & confirmed this.)
Actually they could email everyone in the new group’s list, but initially the only people in the lists will be people who’ve RSVPd to events so that wouldn’t make any difference.
After step 3, the event host could email everyone in the group, for instance with a regular newsletter or announcements about upcoming meetings, but wouldn’t be able to view rebels’ details until they had undergone AN training and been given higher permissions by the Action Network admin.
Here’s a suggested edit to the policy as per the above:
Step 2 point 2:
The Mobiliser can then train the Event Host and assist them to create an Action Network account, and add them as an administrator to the Action Network subgroup, but only with permission to launch emails. This gives the Event Host the ability to create events and send emails to those who RSVP to their events but does not give access to any other data or rebel’s details
Step 3 last point:
Note: Until this training has been completed the Local Group Coordinators/Tech Champion can still create events and send emails to those who have RSVP’d to their events or to the whole group list but can not administer rebel’s data or see those who have yet to RSVP.