I want to be able to restrict access to organization members, a group that changes from year to year, and I don't want others to be able to access the archives using a URL that bypasses OACS login security.
If there were a way to accomplish this with Static Pages, I would use it. Otherwise, I was hoping that a more robust OACS 5 Content Management application would do a better job.
I haven't done this, so I'm guessing that it will work. Somebody else pipe up if this is incorrect...
You can control access based on acs-subsite Application group membership.
My understanding is that you should be able to create a subsite (say, mlist), set it's join policy to closed, and mount a static pages instance under that subsite (say mlist/archive). You can control membership in the groups "mlist Administrators" and "mlist Members", created by the subsite instantiation code. If you already have a member group, you may be able to assign subsite permissions to that group, though I'm not certain.
You then should be able to create a directory "<acs root>/www/mlist/archives" and place your static content there.