Role-based access tied to Google Workspace. SSO required to view any page on the staff portal. Per-resource permissions enforced server-side. Audit log records every access.
Cloudflare Access intercepts. No CAM session cookie? Redirects to Google.
User's @cmgcam.com Workspace account. 2FA enforced by Workspace.
Cloudflare Access checks Workspace group membership. Outside cam-staff@ = denied.
Signed JWT with user email, role, properties. Sent in cf-access-jwt-assertion header.
Pages Function reads JWT, looks up per-resource permissions, returns content or 403.
Full access. Sees leadership dashboard, all properties, all financials, all audit logs. Can change other users' roles.
Full access on assigned properties. Cannot view other managers' portfolios. Cannot change permissions.
All financials, all properties. Bill approval workflow access. No board-onboarding edits, no welcome packets.
Read-only on their property's owner directory. Read/write on own concierge logs + package log. No financials, no NOLAs.
Read-only on their association's BOD-level financials, minutes, manager reports. No other associations.
| Resource | Ops Director | Manager | Accountant | Front Desk | Board liaison |
|---|---|---|---|---|---|
Operations Manual Read-only reference |
Full | Full | Full | Read | — |
Owner ledgers Names, balances, payment history |
All | Own props | All | Own prop · names only | — |
Long Financials Full P&L · BOD-only |
All | Own props | All | — | Own assoc |
Short Financials Member-side summary |
All | Own props | All | Own prop | Own assoc |
Mailings (NOLA, budget, etc.) Page-per-Page console |
Full | Own props | Read | — | — |
Welcome packet onboarding Send + track |
Full | Own props | — | Own prop · view | — |
Audit Log Compliance trail |
All | Own actions | Own actions | — | — |
Notification settings Per-user prefs |
Self + others | Self only | Self only | Self only | Self only |
Strategy Brief / Marketing /opportunities, /marketing, /campaigns |
Full | Read | — | — | — |
Competitor targeting Sunbiz cross-ref · Lead gen |
Full | — | — | — | — |
Access control (this page) Edit roles & permissions |
Full | Read | Read | — | — |
| User | Role | Last login | Device | IP region | 2FA | |
|---|---|---|---|---|---|---|
| tizi@cmgcam.com | Operations Director | Today 08:42 | macOS · Safari | Tallahassee, FL | ✓ | Revoke |
| melissa@cmgcam.com | Manager | Today 08:01 | iOS · Mobile | Tallahassee, FL | ✓ | Revoke |
| patty@cmgcam.com | Manager | Today 08:18 | iOS · Mobile | Tallahassee, FL | ✓ | Revoke |
| kyle@cmgcam.com | Accountant | Yesterday 17:34 | Windows · Chrome | Tallahassee, FL | ✓ | Revoke |
| frontdesk@plaza-tower.com | Front Desk Pool | Today 07:55 | iPad | Tallahassee, FL | ✓ | Revoke |
cmg.ittlh.dev/admin/* + /onboarding/admin* + /api/notify* (free tier, first 50 users).@cmgcam.com domain. Enforce 2FA at the Workspace level.cam-staff@, cam-managers@, cam-leadership@, cam-frontdesk@, cam-accountant@. Assign each user to the right group.functions/_middleware.js reads cf-access-jwt-assertion header, validates against Cloudflare's public key, attaches the user to the request context.request.user.role + the requested resource's allowed roles before responding.