Skip to content

Cloudflare Access — RBAC groups (admin reference)

Hostname: docs.apexstem.org (when MkDocs deploy is live)
Model: Path-based only — frontmatter roles: in markdown is documentation, not auto-enforced (adversarial review).

Maintain a copy of email → group in the board password manager or secretary’s offline sheet; do not commit member emails to git.

Access groups

Group ID Who Typical paths
apex-admin 2 technical admins (Cloudflare + registrar break-glass) All /internal/*
apex-board Trustees /internal/board/*, governance SOPs
apex-finance Treasurer + board chair Finance SOPs, grant index
apex-mentors Adult mentors /internal/teams/*/engineering, safety, meeting checklists
apex-parents-ridge-racers Ridge Racers parents/guardians Team calendar, fees FAQ, parent onboarding
apex-sponsors Active sponsors (optional Year 1) /internal/sponsors/* logo packs
apex-volunteers General volunteers Subset of public internal guides

Deferred: apex-students-ridge-racers — default: parents access on behalf of under-13 students.

Path policies (MVP)

Path prefix Allowed groups
/internal/board/ apex-board, apex-admin, apex-finance
/internal/finance/ apex-finance, apex-board, apex-admin
/internal/teams/ridge-racers-nj/ apex-parents-ridge-racers, apex-mentors, apex-board, apex-admin
/internal/sponsors/ apex-sponsors, apex-board, apex-admin

Search note: MkDocs search may index titles across built pages — split Access apps or disable search on sensitive sections if leakage is a concern.

Invite workflow

  1. Secretary receives name, email, role(s) from team_lead or board.
  2. Admin adds email to correct Access group(s) in Zero Trust dashboard.
  3. User signs in with Google (or PIN) at docs.apexstem.org.
  4. User completes role onboarding checklist.

Offboarding: Remove from all groups same day student/mentor leaves.

Seat planning

Cloudflare Access free tier ≈ 50 seats. Count parents + mentors + board + sponsors before inviting everyone.

If exceeded → plan Auth0 (Phase 3) or split parents to email-only updates without docs login.