@@ -107,7 +107,7 @@ All UPNs above use the `@cascadestucson.com` suffix (standard).
- **Patricia Sandoval-Beck** — **Resolved 2026-04-22 (CSV inline note from Meredith):** hyphen is correct. SamAccountName may still need to be `Patricia.SandovalBeck` if ALIS/MDM reject hyphens — test during Wave 3.
- [ ]**Ederick Yuzon first-name spelling** — asked in 2026-04-22 email, still outstanding
- [x]~~Reliable Agency shared-login short usernames~~ (resolved 2026-04-22: reliable1/reliable2 confirmed)
- [x]~~Reliable Agency shared-login short usernames~~ (SUPERSEDED 2026-04-22 by HIPAA review — no shared logins, per-person only)
- [ ]**Reliable Agency contract review** — confirm staffing contract says caregivers work under Cascades direct clinical control (workforce) vs. agency-supervised (BA). Get individual caregiver names before any PHI access.
- [ ] Will caregivers use ALIS on the shared phones (need ALIS accounts + Entra SSO) or only email?
- [ ] Does Cascades want to purchase 39 additional Business Premium licenses up-front, or roll out in waves (e.g., MedTechs first, then CCGs, then Caregivers)?
- [ ] Confirm pfSense WAN IP(s) are static enough to rely on in a CA Named Location policy
@@ -32,7 +32,7 @@ I will send a full list for you all to look over.
- **#2 Alma R Montt — ANSWERED.** D+P, ALIS=Y, Outside sign-in=Y. Title = "Memory Care Life Enrichment" (LE staff assigned to Memory Care residents — department stays Life Enrichment, title reflects the MC focus).
- **#3 Polett Pinazavala — DEPARTED.** No longer an employee. Was not in AD/M365 yet — just remove from the roster. No license to harvest, no account to disable.
- **#4 Ederick Yuzon — STILL PENDING.** John didn't address the spelling; assume he'll send a separate reply or we ping him again.
- **#5 / #6 Agency — CONFIRMED.** Usernames`reliable1`and`reliable2` as proposed. Shared-login accounts for whichever Reliable Agency caregiver is on shift.
- **#5 / #6 Agency — SUPERSEDED 2026-04-22 by HIPAA review.** Although John approved`reliable1`/`reliable2`, post-review the shared-login approach was dropped: HHS has explicitly stated sharedlog-on IDs for PHI access violate §164.312(a)(2)(i) (Required spec, no compensating-control exception). Replaced with: Reliable Agency must supply individual names; per-person accounts only. No shared credentials. Full rationale in `docs/security/hipaa-review-2026-04-22.md`.
### Agency caregivers — no shared logins (HIPAA decision 2026-04-22)
Shared logins used by whoever from Reliable Agency is covering a shift. Not tied to a specific person. John confirmed `reliable1` and `reliable2` as the usernames.
Originally planned as shared logins `reliable1@` / `reliable2@`. **Dropped** after HIPAA review — shared log-on IDs for PHI access violate 45 CFR §164.312(a)(2)(i) Unique User Identification (Required spec, no compensating-control exception). See `docs/security/hipaa-review-2026-04-22.md`.
| Name | Role | Email | Phone | Outside sign-in |
|---|---|---|---|---|
| Reliable Agency shared login #1 | Agency caregiver | reliable1@cascadestucson.com | Y | N |
| Reliable Agency shared login #2 | Agency caregiver | reliable2@cascadestucson.com | Y | N |
**Policy going forward:** Reliable Agency must provide individual names before any shift where a caregiver needs PHI access. Per-person accounts only. If the agency won't commit to that, their caregivers don't get ALIS / email access and must work under direct supervision of a Cascades-employed caregiver who does.
No entries on this list until names arrive.
---
@@ -194,8 +193,8 @@ Shared logins used by whoever from Reliable Agency is covering a shift. Not tied
| Shared front-desk receptionists | 4 |
| Courtesy Patrol | 3 |
| Caregivers / shift staff | 37 |
| Agency shared logins | 2 |
| **Total active identities / mailboxes** | **68** |
| Agency caregivers | 0 *(per-person only; no accounts until Reliable provides names — HIPAA decision 2026-04-22)* |
| **Total active identities / mailboxes** | **66** |
### Employees on the roster but no IT account
@@ -223,7 +222,7 @@ Shared logins used by whoever from Reliable Agency is covering a shift. Not tied
- **Britney Thompson — DEPARTED.** Disable existing AD account and harvest Business Standard + Exchange Online Essentials license.
- **Polett Pinazavala — DEPARTED.** Not in AD, no action needed other than removal from roster.
- **Alma R Montt — ANSWERED.** Title "Memory Care Life Enrichment", D+P, ALIS=Y, Outside=Y.
- **Agency usernames — CONFIRMED.**`reliable1`and`reliable2` as proposed.
- **Agency usernames — SUPERSEDED by HIPAA review.** John approved`reliable1`/`reliable2`, but shared-login accounts for PHI access are not HIPAA-compliant (§164.312(a)(2)(i)). No accounts created. Reliable Agency must provide individual names for per-person accounts.
- **Drivers — NO ACCOUNTS.** Disable existing 3 AD accounts (Richard Adams, Julian Crim, Christopher Holick).
@@ -110,7 +110,8 @@ No answer yet. This decision directly changes the license count and the CA polic
| Office staff with Outside=Y (Office-PHI external-OK) | **18** | Includes Alma. Britney removed (departed). |
| + Office Outside=N + ALIS=Y (Allison Reibschied, Sharon Edwards) | **20** | Need CA coverage even in building-only posture |
| + Matt Brooks (dual-dept, ALIS=Y) | **21** | Per rollout plan §3 |
| All licensed seats under building-only-default | 21 office + 3 Courtesy Patrol + 4 Reception + 37 caregivers + 2 agency = **67** | Plus Ramon Castaneda for office non-PHI = **68** total active identities |
| All licensed seats under building-only-default | 21 office + 3 Courtesy Patrol + 4 Reception + 37 caregivers = **65** | Plus Ramon Castaneda for office non-PHI = **66** total active identities |
| Agency caregivers (per-person, if/when names arrive) | +1 each | No accounts until Reliable Agency provides names — HIPAA §164.312(a)(2)(i) prohibits shared PHI-access logins |
## Action items
@@ -118,7 +119,7 @@ No answer yet. This decision directly changes the license count and the CA polic
- [ ] Push Meredith for the "restrict everyone or just some" decision — still unanswered as of 2026-04-22
- [x]~~Agency shared-login username preference~~ (SUPERSEDED 2026-04-22 by HIPAA review — no shared logins; per-person only)
- [ ]**Ederick Yuzon spelling** — only remaining question from the 2026-04-22 follow-up email
- [ ] Decide: standalone P2 add-on for the 19 OR move those users to Business Premium OR move whole tenant to Business Premium (default recommendation: Premium tenant-wide)
- [ ] Build CA policy `CSC - Office Staff PHI Access` separate from the caregiver mobile policy
// Caregivers — agency shared-login accounts (usernames confirmed by John 2026-04-22)
["Reliable Agency shared login #1","Agency caregiver","Caregivers (shift staff)","D+P",false,true,"Shared login — whoever from Reliable Agency is on shift signs in. Username: reliable1@cascadestucson.com (confirmed by John)."],
["Reliable Agency shared login #2","Agency caregiver","Caregivers (shift staff)","D+P",false,true,"Shared login — whoever from Reliable Agency is on shift signs in. Username: reliable2@cascadestucson.com (confirmed by John)."],
// Agency caregivers — no shared accounts. HIPAA review 2026-04-22: shared logins for PHI
// access violate 45 CFR 164.312(a)(2)(i) Unique User Identification. Reliable Agency must
// supply individual names before per-person accounts can be provisioned. No rows here
@@ -29,11 +29,11 @@ Build every person on the 2026-04-22 CSV into a consistent AD + M365 identity, l
| **Courtesy Patrol** | D+P | N | N | 3 | Sebastian Leon, Sheldon Gardfrey, Ray Rai |
| **Shared-PC Reception** | D | N | N | 4 | Cathy, Shontiel, Kyla, Michelle |
| **Caregiver (shared-phone)** | D+P | N | Y | 37 | See caregiver-m365-p2-rollout.md |
| **Agency shared login** | D+P | N | Y | 2 | `reliable1`, `reliable2` |
| **Agency caregivers (per-person)** | D+P | N | Y | 0 | None created. HIPAA-mandated per-person IDs — Reliable must supply names. No shared logins. |
| **Driver (no IT access)** | — | — | — | 3 | Richard Adams, Julian Crim, Christopher Holick — on roster for tracking, existing AD accounts to be disabled |
| **Departed (disable/remove)** | — | — | — | 2 | Britney Thompson (has AD+M365, must be disabled), Polett Pinazavala (no account, just remove from roster) |
(Identities to create or keep active: **68**. Roster-only-no-account: 3 drivers. Departures: Britney + Polett. Christine Nyanzunda sits in one persona — Office-PHI — with her caregiver-shift sign-in handled via exception group if needed.)
(Identities to create or keep active: **66**. Roster-only-no-account: 3 drivers. Departures: Britney + Polett. No agency accounts created — per-person names required. Christine Nyanzunda sits in one persona — Office-PHI — with her caregiver-shift sign-in handled via exception group if needed.)
## 3. License mapping per persona
@@ -51,14 +51,15 @@ Build every person on the 2026-04-22 CSV into a consistent AD + M365 identity, l
| Courtesy Patrol | Business Standard | Could be F3 if they don't need full desktop Office; confirm with Meredith |
| Shared-PC Reception | Business Standard | Frontdesk@ stays as shared mailbox, named accounts read it |
| Caregiver | **Business Premium** | Per `caregiver-m365-p2-rollout.md` — P2 is load-bearing for shared-phone CA |
| Agency shared login | **Business Premium**| Same CA posture as caregivers (shared-phone, building-only) |
| Agency caregivers (per-person) | **Business Premium**each | Only provisioned when Reliable Agency provides individual names. Zero created as of 2026-04-22. |
| Driver | **None** | No IT access — accounts disabled. License previously used (if any) harvested. |
| Britney Thompson (departing) | **None** (harvest) | Disable account, free Business Standard + Exchange Online Essentials |
- Per-person agency: +1 each if/when Reliable Agency provides names
**Post-2026-04-22 update:** With the building-only-by-default CA decision confirmed, every licensed user needs Entra P1 coverage (either via Business Premium, or Business Standard + standalone Entra P1). Without P1, CA policies don't apply and the user sidesteps the default-deny. This effectively collapses the mixed-SKU table above into a recommendation for **Business Premium tenant-wide (~68 seats)** — the Business Standard rows stay in the table only as a reference for what we'd buy if budget forces unbundling. Proceed with Premium-tenant-wide unless Meredith pushes back. Britney's harvested Business Standard + Exchange Online Essentials license plus any freed driver licenses go back into the pool to offset the Premium purchase.
@@ -129,27 +130,64 @@ These must be resolved before creating or converting accounts. See also `cascade
| **Ederick Yuzon** — spelling not confirmed | **Still pending Meredith/John.** | Block on creation of his caregiver account only. Everyone else proceeds. Tentative: `Ederick.Yuzon` if needed to unblock Wave 3. |
| **Matt Brooks** — AD dept = Maintenance, CSV note "works in both departments" | Confirmed (CSV-inline). | Keep in Maintenance OU; add to secondary MC group for access overlap. |
| **37 caregivers** — on CSV, none in AD | Unchanged. | Create all 37 AD accounts (+ M365) in Wave 3. |
| **2 agency placeholders** — on CSV, not in AD | **RESOLVED 2026-04-22 (John's reply) — usernames `reliable1` / `reliable2` confirmed. Shared logins, not per-person.** | Create 2 shared AD/M365 accounts: `reliable1@cascadestucson.com` and `reliable2@cascadestucson.com`. Audit attribution caveat: individual accountability in sign-in logs is weaker because multiple people share the account. Acceptable tradeoff. |
| **2 agency placeholders** — on CSV, not in AD | **RESOLVED 2026-04-22 (Howard, post-HIPAA-review) — NO shared logins. Per-person accounts only.** | Do NOT create `reliable1`/`reliable2`. Reliable Agency must supply individual names before any caregiver can access PHI. Until then, agency staff work under direct supervision of a Cascades-employed caregiver who is signed in. Rationale documented in `docs/security/hipaa-review-2026-04-22.md`. |
| **Generic AD accounts** (`Culinary`, `RECEPTIONIST`, `saleshare`, `directoryshare`) | Unchanged. | Phase 5 cleanup after named-account coverage. |
**Username convention for new accounts:** TitleCase `First.Last` (e.g., `Alma.Montt`, `Kyla.QuickTiffany`). Existing lowercase exceptions in AD (`britney.thompson`, `karen.rossini`, `lauren.hasselman`) are the known legacy cases — leave as-is, don't rename. All net-new accounts follow TitleCase.
## 7. Rollout sequence
### Wave 0 — Pre-flight (blocks waves 1+)
- **Ederick Yuzon spelling** — only remaining email blocker. Blocks Wave 3 only (his caregiver account); does NOT block Waves 1/2.
- Final license decision (Business Premium tenant-wide vs. mixed) — recommendation is Premium tenant-wide, needs Meredith sign-off
- Purchase license count locked in
### Wave 0 — HIPAA pre-flight (must complete before any account changes)
### Wave 1 — Departures + new office accounts (ready to execute)
- Disable `britney.thompson` AD account; convert mailbox to shared; harvest Business Standard + Exchange Online Essentials license
Per `docs/security/hipaa-review-2026-04-22.md`. These are compliance blockers, not operational blockers — fix before touching accounts.
- **Create break-glass cloud-only admin** (`breakglass@cascadestucson.com`): excluded from all CA, FIDO2 security key, vaulted password, sign-in alerts to Howard + Meredith
- **Enable SMB3 encryption** on `\\CS-SERVER\homes`: `Set-SmbShare -Name homes -EncryptData $true`
- **Extend M365 audit retention** to 6+ years (Purview Audit Premium add-on or retention policy)
- **Put Britney's mailbox on Litigation Hold** with verified archive license — BEFORE her account is disabled
- **Ask Meredith** for the Reliable Agency staffing contract (confirm direct-control language = workforce, not BA)
2.**Add UPN suffix**`cascadestucson.com` in AD Domains and Trusts
3.**Update all synced users' UPN** to `firstname.lastname@cascadestucson.com`
4.**Convert M365 role-based accounts to shared mailboxes** FIRST (accounting@, frontdesk@, hr@, etc. — listed in `docs/cloud/m365.md`) — frees 11 licenses
5.**Delete**`Kristiana Dowse` and `howaed` typo accounts from M365
6.**Reconcile**`nick pavloff` (M365-only) — create AD account if still employed, or delete
7.**CS-SERVER readiness check** (separate task — OS version, .NET, disk, FSMO, conflict with QuickBooks DB listener)
8.**Install Entra Connect in staging mode** on CS-SERVER → Password Hash Sync → Seamless SSO → scope to `OU=Departments`
9.**Review planned sync output** for unexpected matches/duplicates
10.**Take out of staging**, verify users see their cloud mailboxes working on the same password
11.**Communicate to users:** Outlook will prompt once for password; enter your Windows password
User-visible impact: one Outlook password prompt on day-of-cutover. **No impact on AD domain logon.**
### Wave 1 — Departures + new office accounts (ready after Waves 0 and 0.5)
- Disable `britney.thompson` AD account — AFTER Litigation Hold is confirmed, mailbox converted to shared with designated custodian (likely Meredith or Lois), Business Standard + Exchange Online Essentials license harvested
- Disable 3 driver AD accounts (`Richard.Adams`, `Julian.Crim`, `Christopher.Holick`)
- Ask Meredith whether to keep or retire `Transportation@` shared mailbox
- Create AD + M365 for Alma R Montt (`Alma.Montt` — Memory Care Life Enrichment, D+P, ALIS=Y, Outside=Y)
-Create AD + M365 for Kyla QuickTiffany (`Kyla.QuickTiffany` — Shared-PC Reception, D only, building-only)
-Create AD + M365 for `reliable1@` and `reliable2@` (shared agency logins, D+P, ALIS=Y, building-only)
- Create AD accounts (and let Entra Connect sync to M365) for:
-Alma R Montt (`Alma.Montt` — Memory Care Life Enrichment, D+P, ALIS=Y, Outside=Y)
-Kyla QuickTiffany (`Kyla.QuickTiffany` — Shared-PC Reception, D only, building-only)
- Validate group membership + CA policy assignment on the new accounts before moving to Wave 2
- Pilot the `CSC - Building Only (Default)` policy with Kyla
- Pilot the `CSC - Building Only (Default)` policy with Kyla (Report-only mode first)
### Wave 1 — DO NOT DO
- Do NOT create `reliable1@` or `reliable2@` shared agency accounts (HIPAA review 2026-04-22). See §6 reconciliation + `docs/security/hipaa-review-2026-04-22.md`.
### Wave 2 — Existing office accounts, reassignment only
- Move existing users into new OU layout (no identity changes, just OU move + group membership)
@@ -185,6 +223,28 @@ Applies to Wave 1 + Wave 3 (and any future hire). Precise script will be built l
- **Folder redirection GPO rollout** (`CONTEXT.md` §48) — when we move users to new OUs, make sure the FR GPOs are re-linked to the new OU or stay linked to parent `OU=Cascades Users`. Test on one mover before batch.
- **Intune phone rollout** (`PROJECT_STATE.md`) — caregiver accounts must exist before Wave 3 of phone deployment (24 remaining Samsung A15s). Identity-first, device-second.
- **File-share migration: Synology → CS-SERVER** (`docs/migration/phase2-server-prep.md` §4c–4d + `docs/migration/phase4-synology.md`) — Synology Drive Client is live-syncing `\\cascadesds\*` → `D:\Shares\Main` on CS-SERVER (confirmed 2026-03-07). Before users are cut over to CS-SERVER-sourced mapped drives, the AD security groups used for NTFS ACLs on CS-SERVER (`SG-Management-RW`, `SG-Sales-RW`, `SG-Culinary-RW`, `SG-Directory-RW`, `SG-IT-RW`, `SG-Receptionist-RW`, `SG-Chat-RW`, `SG-Server-RW`) must:
1. Exist in AD (created by `scripts/phase2-ad-setup.ps1`)
2. Have membership that matches the current per-user access on Synology — a **permission-inventory** step (see below) must produce this mapping before `scripts/phase2-file-shares.ps1` runs
3. Populate from the user rollout waves — the 22 office-PHI users, 4 receptionists, 3 courtesy patrol, 1 Matt Brooks (dual-dept), 1 Ramon Castaneda, plus caregivers as needed all land in the right `SG-*` groups at account creation
- Additional HIPAA additions to the phase2 script (per `docs/security/hipaa-review-2026-04-22.md`): enable SMB3 encryption (`Set-SmbShare -EncryptData $true` on every share) and enable Object Access auditing for §164.312(b) Audit Controls
- Drivers off the SG-* lists entirely — they lose file-share access along with their AD accounts
### Permission-inventory prerequisite
A one-time non-destructive read of the live Synology is needed to produce the mapping from Synology local users/groups → AD security groups. Commands (run via SSH to `admin@192.168.0.120`, creds at `clients/cascades-tucson/synology-cascadesds.sops.yaml`):
for share in homes Management SalesDept Server chat Public Culinary IT Receptionist directoryshare;do
sudo synoacltool -get /volume1/$share# ACLs per share
done
sudo synoshare --get homes # per-share config incl. SMB encryption state
```
Output goes to `docs/migration/synology-permission-inventory.md`, which is then the reference for populating AD groups and building `phase2-file-shares.ps1` inputs. Discovery is non-destructive and can run any time the Synology is up — does not require a maintenance window.
## 10. Open decisions blocking the rollout
@@ -199,7 +259,7 @@ Applies to Wave 1 + Wave 3 (and any future hire). Precise script will be built l
- Alma R Montt → `Alma.Montt`, title "Memory Care Life Enrichment", D+P, ALIS=Y, Outside=Y (answered by John).
- Drivers → no IT access per Howard. Disable 3 AD accounts. Stay on roster for tracking.
## 11. Related docs
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.