azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-06-10 20:21:07

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-10 20:21:07
This commit is contained in:
Howard Enos
2026-06-10 20:21:20 -07:00
parent 9c56690270
commit 83133ddce3
6 changed files with 536 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

97
clients/dataforth/docs/projects/shares-permissions/discovery-email-draft.md Normal file
View File

@@ -0,0 +1,97 @@
# DRAFT — Dataforth shared-folder access & permissions discovery email
> Draft for ACG review. Recipients/sender to be set before sending.
> Suggested To: Dan Center (dcenter@dataforth.com). Suggested CC: Kevin Wackerly. From: ACG (Howard/Mike).
> Tone: plain-language, non-technical where possible. Goal: get their departments + the access matrix + sensitive-data rules so we can build the permission model.
---
**Subject:** Dataforth shared drives — setting up proper department access & permissions
Hi Dan,
As part of tightening things up after last year's security incident, we'd like to get Dataforth's shared network drives (the mapped drives everyone uses — Q:, S:, T:, W:, X:, Y:, B:, etc.) onto a proper department-based access model.
Right now, essentially **every shared drive is open to every employee** — anyone who logs in can open, change, or delete files on all of them, including folders like Payroll, OSHA records, Purchase Orders, and the accounting/Sage data. There are also no department-based permission groups in place, so there's no easy way to say "only Accounting sees the accounting folder." We'd like to fix that: give each department access to what it needs, restrict the sensitive areas, and make ongoing access management simple.
To do this right, we need your input on how *you* want it set up. Could you help us with the following? A short call works too if that's easier.
### 1. Confirm your departments
Here's our starting guess at Dataforth's departments — please correct/add/remove:
- Engineering
- Manufacturing / Production / Assembly
- Quality / Calibration
- Sales & Marketing
- Shipping / Receiving
- Accounting / Finance
- HR / Administration
- IT
- Management / Executive
### 2. Who gets access to which shared drive
For each shared drive, tell us which departments should have **Read/Write** (open & edit), **Read-Only** (view only), or **No access**. Here are the current drives and roughly what's in each:
| Drive | Share | What's in it (today) |
|---|---|---|
| Q: | c-drive | Company-wide mix — documents, Mfg, Shipping, SMT, Production Control, **Payroll, OSHA, Purchase Orders**, plus many person-named folders |
| T: | e-drive | Engineering & manufacturing (ENGR, ECO'S, FMEA, MANUFACT, TE) + **QuickBooks/accounting files** |
| S: | sage | Sage ERP / accounting, invoices, reports |
| W: | sales | Sales & marketing, contacts, RMAs, shipping handoffs |
| Y: | archive | Engineering archive (ENGR) |
| B: | Engineering | Main Engineering data (large) |
| B: | itsvc | IT software, drivers, server tools (IT use) |
| X: | webshare | Website/test-datasheet system (mostly automated — IT/Engineering) |
A simple way to answer is to fill in this grid (RW = read/write, RO = read-only, blank = no access):
```
Department | Q c-drive | T e-drive | S sage | W sales | Y archive | B Engineering | itsvc | webshare
--------------------------|-----------|-----------|--------|---------|-----------|---------------|-------|---------
Engineering | | | | | | | |
Manufacturing/Production | | | | | | | |
Quality/Calibration | | | | | | | |
Sales & Marketing | | | | | | | |
Shipping/Receiving | | | | | | | |
Accounting/Finance | | | | | | | |
HR/Administration | | | | | | | |
IT | | | | | | | |
Management/Executive | | | | | | | |
```
### 3. Sensitive areas — who specifically should see these?
These should almost certainly **not** be open to all staff. Please tell us who (which department, or specific people) should have access:
- **Payroll** (currently on Q:)
- **OSHA 300 / OSHA Safety Training** (injury/safety records — currently on Q:)
- **Purchase Orders** (currently on Q:)
- **Accounting / Sage / QuickBooks / invoices** (S:, plus QBfiles on T:)
- Anything else you consider confidential (HR files, contracts, pricing, etc.)
### 4. Who's in each department
So we can put the right people in the right groups, we need a list of employees by department. An existing org chart or staff roster is perfect — or if it's easier, we can put together a proposed list from what we know and you correct it.
### 5. Cleanup
The drives have accumulated a lot of old material over the years — folders literally named "Do not use," duplicates, and per-person folders from former staff. As we go, we can archive or remove what's no longer needed. Are there any folders you already know are safe to clean up, or anyone we should check with first?
### 6. Special cases
Anyone who needs access across departments (e.g. management seeing everything), contractors/outside parties, or individual exceptions?
---
Once we have this, we'll put together a clear access plan (a simple "who sees what" map), send it back for your sign-off, and then implement it in stages so nobody loses access unexpectedly. Nothing changes on your end until you've approved the plan.
Thanks Dan — happy to jump on a quick call to walk through it if that's easier.
Best,
[Sender]
Arizona Computer Guru
---
### Internal notes (do not send)
- The `test` drive (DOS test stations) stays open by necessity (SMB1/guest) — not part of this exercise; don't raise it with them.
- `webshare` must keep the `svc_testdatadb` service account — restrict humans only.
- Drive-letter B: covers both Engineering and itsvc in current docs — confirm during design.
- After their reply: build AD security groups (`SG-<Resource>-<RW|RO>`), draft the group×share matrix, get sign-off (Phase 2), then staged build (Phase 3). See `roadmap.md`.
- Sensitive-data rules likely need HR/Finance sign-off, not just Dan — ask who owns that decision.