From 142afd7e98718fbcd650214177977daef2d7c63d Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Wed, 1 Jul 2026 13:50:49 -0700 Subject: [PATCH] sync: auto-sync from HOWARD-HOME at 2026-07-01 13:50:18 Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-07-01 13:50:18 --- .../2026-07-01-caretaker-roster-update.md | 85 +++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 clients/cascades-tucson/reports/2026-07-01-caretaker-roster-update.md diff --git a/clients/cascades-tucson/reports/2026-07-01-caretaker-roster-update.md b/clients/cascades-tucson/reports/2026-07-01-caretaker-roster-update.md new file mode 100644 index 00000000..1002516a --- /dev/null +++ b/clients/cascades-tucson/reports/2026-07-01-caretaker-roster-update.md @@ -0,0 +1,85 @@ +# Cascades — Caretaker roster update (client list received 2026-07-01) + +**Source:** updated caretaker list from the client, reconciled against live AD +(CS-SERVER, `OU=Caregivers,OU=Departments,DC=cascades,DC=local` + `SG-Caregivers`) +pulled 2026-07-01 via RMM (cmd `bf80962c`). + +**Live state:** OU holds 42 objects = 40 enabled caregivers + `pilot.test` (test +artifact) + `n.castro` (disabled). `SG-Caregivers` = the same 40. All 40 were +Business Premium-licensed + temp-passworded 2026-06-30. The client's 40-entry list +maps 1:1 onto the 40 enabled accounts — no unknowns in either direction. + +## Departures — 7 marked "no longer with us" (all have live enabled accounts) + +| Person | Account | Notes | +|---|---|---| +| Bella Mendoza | b.mendoza | ALIS: already Discharged | +| Corey Tate | c.tate | ALIS: already Discharged | +| Diana Fierros | d.fierros | no ALIS record | +| Gloria Williford | g.williford | ALIS: already Discharged | +| Kasey Flores | k.flores | ALIS: already Discharged | +| Maia Baker | m.baker | ALIS: already Discharged | +| Mary Kariuki | m.kariuki | ALIS: Discharged, DUP records 429856/429858 | + +These are exactly the 7 flagged 2026-06-29/30 as ALIS-Discharged / no-ALIS-record — +consistent with them having already left. None ever logged in (accounts bulk-created +May, passwords never used). Offboarding = disable AD account + remove from +SG-Caregivers + remove Business Premium license (frees 7 of 45 seats). + +## Additions — 5 requested + +| Person | Proposed account | Status | +|---|---|---| +| Christine Nyanzunda | christine.nyanzunda (EXISTS, OU=Care-Memorycare) | Was explicitly EXCLUDED from SG-Caregivers 2026-06-30 (Howard: frontline only; she is admin-adjacent, Health Admin Assistant roles in ALIS). Client now lists her as a caretaker — needs decision. | +| Alejandra Vallejo | a.vallejo (new) | Already in ALIS as caregiver; no AD account (known gap from 6/30). | +| Jeanpabtiste Munezero | j.munezero (new) | New hire; no AD or ALIS record found. | +| Nicole Cota | n.cota (new) | New hire. No conflict with disabled n.castro. | +| Katlyn Robinson | k.robinson (new) | New hire. | + +New accounts follow the `f.lastname@cascadestucson.com` caregiver convention. +Full onboarding per 6/30 pattern: AD account in OU=Caregivers, SG-Caregivers add +(on-prem only — cloud adds fail), usageLocation=US + Business Premium, temp password +forced-change, vault, ALIS staff record Email=UPN. + +## Flags from the client's annotations + +- **Tele Sepopo Lassey Assiakoley = Cecilia/Celia Lassey (client-confirmed).** + BOTH `c.lassey` and `t.lassey-assiakoley` exist enabled, licensed, and in + SG-Caregivers — one person, two accounts, two licenses. Consolidate: pick one, + disable the other, reclaim a seat. (Resolves the 6/4 worklist open question.) +- **Zeke Huerta (e.huerta) now works the front desk.** He is in SG-Caregivers → + subject to the caregiver CA lockdown (on-network + allow-listed devices only, + no MFA). Front desk may need the privileged bucket instead (email from anywhere, + MFA offsite) and different ALIS roles. Decision needed. UPN stays e.huerta + (Howard 6/30: do not "correct" to z.huerta). +- **Charity Sika = b.sika** — client list ties the name Charity to b.sika@, + consistent with ALIS "Bariffa Sika" (staffId 309045). Treat as same person. + +## License math (SPB, 45 seats, 45 consumed as of 6/30) + +Disable 7 leavers + 1 Lassey dup = 8 seats freed; 4-5 new hires need seats +(Nyanzunda may already be licensed) → net 3-4 seats free after the update. + +## Status (executed 2026-07-01, Howard's decisions via session prompts) + +- [x] Disabled 7 departed accounts + removed from SG-Caregivers + reclaimed licenses (RMM cmd b5329b71) +- [x] Lassey duplicate: KEEP c.lassey; t.lassey-assiakoley disabled + license reclaimed +- [x] Huerta: removed from SG-Caregivers (front desk -> privileged bucket). Account stays + enabled in OU=Caregivers — sync scope is ONLY OU=Caregivers/Groups/Caregiver Devices, + so an OU move would delete his cloud object. Move deferred until Administrative OU + enters sync scope. **He needs MFA (Authenticator) registration** — now under the + MFA-for-all-users policy with no caregiver-block policies. +- [x] Nyanzunda: LEFT OUT of SG-Caregivers (frontline-only rule stands; she keeps her + existing christine.nyanzunda account with broader access) +- [x] Created 4 new accounts (a.vallejo, j.munezero, n.cota, k.robinson): OU=Caregivers, + SG-Caregivers, usageLocation=US, Business Premium, forced-change temp passwords. + Vault: `clients/cascades-tucson/caregiver-temp-passwords-2026-07-01.sops.yaml`. + Passwords DM'd to Howard (Discord msg 1521981205443117116). +- [x] Verified: 8 offboarded = accountEnabled=false + 0 licenses; 4 new = SPB licensed. + SG-Caregivers = 35 members. SPB pool: 45 enabled / 41 consumed (4 free). +- [ ] ALIS: create staff records for Munezero/Cota/Robinson (need job roles: + Certified vs Resident Caregiver); Vallejo exists — set Email=a.vallejo@ (UPN). + Import .xls via `alis` skill `build-import`. +- [ ] Huerta MFA registration (Authenticator) — first time he's onsite. +- [ ] Optional: notify client that Nyanzunda already has an account (not added to + caregiver group by design).