sync: auto-sync from HOWARD-HOME at 2026-07-01 13:50:18

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-07-01 13:50:18
This commit is contained in:
2026-07-01 13:50:49 -07:00
parent 486b72ec71
commit 142afd7e98

View File

@@ -0,0 +1,85 @@
# Cascades — Caretaker roster update (client list received 2026-07-01)
**Source:** updated caretaker list from the client, reconciled against live AD
(CS-SERVER, `OU=Caregivers,OU=Departments,DC=cascades,DC=local` + `SG-Caregivers`)
pulled 2026-07-01 via RMM (cmd `bf80962c`).
**Live state:** OU holds 42 objects = 40 enabled caregivers + `pilot.test` (test
artifact) + `n.castro` (disabled). `SG-Caregivers` = the same 40. All 40 were
Business Premium-licensed + temp-passworded 2026-06-30. The client's 40-entry list
maps 1:1 onto the 40 enabled accounts — no unknowns in either direction.
## Departures — 7 marked "no longer with us" (all have live enabled accounts)
| Person | Account | Notes |
|---|---|---|
| Bella Mendoza | b.mendoza | ALIS: already Discharged |
| Corey Tate | c.tate | ALIS: already Discharged |
| Diana Fierros | d.fierros | no ALIS record |
| Gloria Williford | g.williford | ALIS: already Discharged |
| Kasey Flores | k.flores | ALIS: already Discharged |
| Maia Baker | m.baker | ALIS: already Discharged |
| Mary Kariuki | m.kariuki | ALIS: Discharged, DUP records 429856/429858 |
These are exactly the 7 flagged 2026-06-29/30 as ALIS-Discharged / no-ALIS-record —
consistent with them having already left. None ever logged in (accounts bulk-created
May, passwords never used). Offboarding = disable AD account + remove from
SG-Caregivers + remove Business Premium license (frees 7 of 45 seats).
## Additions — 5 requested
| Person | Proposed account | Status |
|---|---|---|
| Christine Nyanzunda | christine.nyanzunda (EXISTS, OU=Care-Memorycare) | Was explicitly EXCLUDED from SG-Caregivers 2026-06-30 (Howard: frontline only; she is admin-adjacent, Health Admin Assistant roles in ALIS). Client now lists her as a caretaker — needs decision. |
| Alejandra Vallejo | a.vallejo (new) | Already in ALIS as caregiver; no AD account (known gap from 6/30). |
| Jeanpabtiste Munezero | j.munezero (new) | New hire; no AD or ALIS record found. |
| Nicole Cota | n.cota (new) | New hire. No conflict with disabled n.castro. |
| Katlyn Robinson | k.robinson (new) | New hire. |
New accounts follow the `f.lastname@cascadestucson.com` caregiver convention.
Full onboarding per 6/30 pattern: AD account in OU=Caregivers, SG-Caregivers add
(on-prem only — cloud adds fail), usageLocation=US + Business Premium, temp password
forced-change, vault, ALIS staff record Email=UPN.
## Flags from the client's annotations
- **Tele Sepopo Lassey Assiakoley = Cecilia/Celia Lassey (client-confirmed).**
BOTH `c.lassey` and `t.lassey-assiakoley` exist enabled, licensed, and in
SG-Caregivers — one person, two accounts, two licenses. Consolidate: pick one,
disable the other, reclaim a seat. (Resolves the 6/4 worklist open question.)
- **Zeke Huerta (e.huerta) now works the front desk.** He is in SG-Caregivers →
subject to the caregiver CA lockdown (on-network + allow-listed devices only,
no MFA). Front desk may need the privileged bucket instead (email from anywhere,
MFA offsite) and different ALIS roles. Decision needed. UPN stays e.huerta
(Howard 6/30: do not "correct" to z.huerta).
- **Charity Sika = b.sika** — client list ties the name Charity to b.sika@,
consistent with ALIS "Bariffa Sika" (staffId 309045). Treat as same person.
## License math (SPB, 45 seats, 45 consumed as of 6/30)
Disable 7 leavers + 1 Lassey dup = 8 seats freed; 4-5 new hires need seats
(Nyanzunda may already be licensed) → net 3-4 seats free after the update.
## Status (executed 2026-07-01, Howard's decisions via session prompts)
- [x] Disabled 7 departed accounts + removed from SG-Caregivers + reclaimed licenses (RMM cmd b5329b71)
- [x] Lassey duplicate: KEEP c.lassey; t.lassey-assiakoley disabled + license reclaimed
- [x] Huerta: removed from SG-Caregivers (front desk -> privileged bucket). Account stays
enabled in OU=Caregivers — sync scope is ONLY OU=Caregivers/Groups/Caregiver Devices,
so an OU move would delete his cloud object. Move deferred until Administrative OU
enters sync scope. **He needs MFA (Authenticator) registration** — now under the
MFA-for-all-users policy with no caregiver-block policies.
- [x] Nyanzunda: LEFT OUT of SG-Caregivers (frontline-only rule stands; she keeps her
existing christine.nyanzunda account with broader access)
- [x] Created 4 new accounts (a.vallejo, j.munezero, n.cota, k.robinson): OU=Caregivers,
SG-Caregivers, usageLocation=US, Business Premium, forced-change temp passwords.
Vault: `clients/cascades-tucson/caregiver-temp-passwords-2026-07-01.sops.yaml`.
Passwords DM'd to Howard (Discord msg 1521981205443117116).
- [x] Verified: 8 offboarded = accountEnabled=false + 0 licenses; 4 new = SPB licensed.
SG-Caregivers = 35 members. SPB pool: 45 enabled / 41 consumed (4 free).
- [ ] ALIS: create staff records for Munezero/Cota/Robinson (need job roles:
Certified vs Resident Caregiver); Vallejo exists — set Email=a.vallejo@ (UPN).
Import .xls via `alis` skill `build-import`.
- [ ] Huerta MFA registration (Authenticator) — first time he's onsite.
- [ ] Optional: notify client that Nyanzunda already has an account (not added to
caregiver group by design).