sync: auto-sync from HOWARD-HOME at 2026-06-25 12:30:38

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-25 12:30:38
This commit is contained in:
2026-06-25 12:31:14 -07:00
parent ca44a005cc
commit b9d4cfde98
6 changed files with 790 additions and 4 deletions

View File

@@ -54,7 +54,7 @@ Crystal Rodriguez, Veronica Feller, Shelby Trozzi, Christina DuPras · ~~Tamra
**RW (per matrix "Access: Directory"):** Meredith, Ashley, Lauren, Allison, Megan, Crystal,
Lois, Karen, Veronica, Shelby, Christine, Christina DuPras, Cathy Kingston, Shontiel Nunn,
Kyla Quick Tiffany *(no AD acct yet)*, Michelle Shestko, Sebastian Leon, Sheldon Gardfrey,
Ray Rai, Susan Hicks, Sharon Edwards, Alma R Montt *(no AD acct yet)*, John Trozzi, Matt Brooks, Lupe Sanchez
Ray Rai, Susan Hicks, Sharon Edwards, John Trozzi, Matt Brooks, Lupe Sanchez · ~~Alma R Montt~~ *(OFFBOARDED 2026-06-25)*
**Excluded:** kitchen staff (JD, Ramon, Alyssa), drivers, caregivers
> **Big question:** matrix intro says "most staff need **read**" but each person's line reads
> "Access" (= RW). Does everyone really need WRITE to the resident directory, or **read for most +
@@ -75,8 +75,7 @@ Sheldon Gardfrey, Ray Rai, Christina DuPras, Meredith Kuhn, Ashley Jensen
> Kitchen staff get Culinary ONLY (no Directory, no other shares). No `SG-Culinary-RO` group — RO trio needs one or direct NTFS read.
### `SG-Activities-RW` → `\\CS-SERVER\Activities` (= Life Enrichment)
**RW:** Susan Hicks **[OPEN]**, Sharon Edwards, Alma R Montt *(no AD acct yet)*, Veronica Feller,
Meredith Kuhn, Ashley Jensen
**RW:** Susan Hicks **[OPEN]**, Sharon Edwards, Veronica Feller, Meredith Kuhn, Ashley Jensen · ~~Alma R Montt~~ *(OFFBOARDED 2026-06-25)*
**RO:** Shelby Trozzi, Christina DuPras
> Confirm `Activities` share == the Life Enrichment data share (matrix called it `LifeEnrichment`).
> LE workstations have no mapped drives today — this is their first map.
@@ -127,4 +126,5 @@ Veronica Feller, Shelby Trozzi, Christine Nyanzunda
## AD-account verification needed before assignment
Confirm a domain account exists for: Cathy Kingston, Shontiel Nunn, Michelle Shestko,
Sebastian Leon, Sheldon Gardfrey, Ray Rai, Sharon Edwards, Allison Reibschied.
**Create first:** Kyla Quick Tiffany, Alma R Montt (matrix: not yet created).
**Create first:** Kyla Quick Tiffany (matrix: not yet created).
*(Alma R Montt — OFFBOARDED 2026-06-25, see `docs/security/offboarding-2026-06-25-alma-montt.md`.)*

View File

@@ -0,0 +1,45 @@
# Offboarding Record — Alma Montt
**Date:** 2026-06-25 · **Performed by:** Howard Enos (ClaudeTools session) · **Authorized by:** Howard Enos
**Separation type:** Termination (no longer with Cascades) · **Role:** Memory Care Life Enrichment / MC Reception
**Runbook:** `docs/security/termination-procedures.md`
## Identities handled
- **M365 (cloud-only):** `Alma.Montt@cascadestucson.com` — id `b2fb546e-687a-4647-b286-9c8edd3d989f`
- **On-prem AD:** `Alma.Montt` (was OU=Administrative,OU=Departments,DC=cascades,DC=local — separate object, NOT Entra-synced)
- **ALIS:** N/A — Alma had no ALIS access (Life Enrichment role, not clinical/caregiver; confirmed Howard 2026-06-25)
## Actions completed (M365)
| # | Action | Result |
|---|---|---|
| 1 | Revoke active sign-in sessions | HTTP 200 |
| 2 | Block sign-in (`accountEnabled=false`) | confirmed false |
| 3 | Reset password (random, vaulted) | OK (via JIT PAA — see follow-up) |
| 4 | Grant `Shelby.Trozzi` **FullAccess + AutoMapping** to mailbox | confirmed (auto-attaches in Shelby's Outlook) |
| 5 | Convert mailbox → **SharedMailbox** | confirmed (78 MB / 198 items) |
| 6 | Remove **Business Premium (SPB)** license | confirmed 0 licenses — **frees 1 SPB seat** |
| 7 | Hide from GAL | confirmed |
| 8 | Remove from `SG-SSPR-Eligible` | HTTP 204 |
## Actions completed (on-prem AD, CS-SERVER)
- `Disable-ADAccount Alma.Montt` → Enabled=False
- Group memberships stripped → groupCount=0
- Moved to `OU=Excluded-From-Sync,DC=cascades,DC=local`
## Retention / compliance
- **No Litigation Hold applied.** Decision (Howard, 2026-06-25): Alma had **no PHI / medical-data access**
in her role, so the 7-yr litigation hold is not required. Mailbox is preserved via shared-mailbox
conversion + zero-deletion posture (no mailbox deleted). Revisit only if her PHI-access
determination changes.
- Password stored for emergency recovery/audit only: vault `clients/cascades-tucson/alma-montt`.
**Do NOT re-enable without authorization.**
## Open follow-ups
- [x] ~~ALIS staff profile~~ — N/A, no ALIS access (Howard 2026-06-25).
- [ ] **SECURITY — needs Global Admin / portal:** the password reset required a JIT elevation of the
**ComputerGuru Tenant Admin** service principal to **Privileged Authentication Administrator**, and
the automatic role removal was blocked by Graph ("removing self from built-in role is not allowed").
**The PAA role is still assigned to the SP and must be removed manually** in Entra
(Roles & admins → Privileged Authentication Administrator → remove `ComputerGuru - Tenant Admin`).
Its standing **Conditional Access Administrator** role is intentional — leave that.
- [ ] Reconcile: Alma removed from the proposed share rosters (`docs/migration/share-group-roster-proposed-2026-06-25.md`).