diff --git a/clients/cascades-tucson/docs/cloud/cascades-staff-followup-2026-04-22.md b/clients/cascades-tucson/docs/cloud/cascades-staff-followup-2026-04-22.md new file mode 100644 index 0000000..a6fba48 --- /dev/null +++ b/clients/cascades-tucson/docs/cloud/cascades-staff-followup-2026-04-22.md @@ -0,0 +1,41 @@ +# Follow-up email — four open items from the staff list + +**To:** Meredith Kuhn, John Trozzi (cc: Ashley Jensen) +**From:** Howard Enos — Computer Guru +**Date:** 2026-04-22 +**Subject:** Got the staff list — thank you. Four small follow-ups before I set up accounts. + +--- + +Meredith / John, + +Thank you for sending back the staff list — that's exactly what I needed and it's going straight into the account setup plan. Before I start creating M365 accounts and access policies, I want to confirm a few small things so I don't make the wrong call on any of them: + +1. **Kyla Quick Tiffany** — is her last name three separate words (Quick Tiffany), hyphenated (Quick-Tiffany), or is one of those actually a middle name? I want the account to match whatever her ID / payroll uses. + +2. **Ederick Yuzon** — just confirming the spelling of the first name. "Ederick" vs "Edrick" vs something else? + +3. **Christine Nyanzunda (Memory Care Admin Assistant)** — I originally had her on the caregiver shift-staff list as well. The staff list you sent back only has her once, under Memory Care admin. Can you confirm she's one person with one account, not two? (Account-wise it matters because the admin and caregiver tiers get different licenses and phone access.) + +4. **Alma R Montt (Life Enrichment)** — the title field on her row came back blank. What's her actual title / role so I can put it on the account? + +5. **Britney Thompson** — she's in Active Directory today as a Memory Care Nurse with a real account, but she's not on the list you sent back. Did she leave, is she part-time / on leave, or should she still be there? If she's gone I'll disable the account (and recover the license). + +6. **Polett Pinazavala** — I had her on my caregiver roster (AM, Memory Care, MedTech) from earlier notes, and she's not on the returned list either. Same question — did she leave? + +One related decision I still need from you when you have a minute: + +> Do you want **all staff restricted to signing in only from the building**, or just certain roles (e.g. front desk / kitchen / clinical)? + +The staff list confirms who's on D+P vs. D-only vs. P-only, but "restrict everyone to the building" vs. "only restrict some" changes the license count (it roughly doubles the P2-equivalent licenses we'd buy) and the Conditional Access policy design. Either answer is fine — I just need the call. + +No rush. Whichever of you can reply fastest on the five spellings/titles will unblock me; the building-vs-selective question can wait another day or two if you want to think about it. + +Thank you — + +Howard + +--- + +*Draft — prepared 2026-04-22 after processing the staff-editor CSV return.* +*Related: `reports/cascades-staff-2026-04-22.csv`, `docs/cloud/p2-staff-candidates.md`.* diff --git a/clients/cascades-tucson/docs/cloud/p2-staff-candidates.md b/clients/cascades-tucson/docs/cloud/p2-staff-candidates.md index 0ef4f85..8a0644f 100644 --- a/clients/cascades-tucson/docs/cloud/p2-staff-candidates.md +++ b/clients/cascades-tucson/docs/cloud/p2-staff-candidates.md @@ -1,8 +1,9 @@ # Staff Entra P2 Candidates — Cascades -**Status:** Documentation only — no license purchase or policy activation yet. Awaiting full list from John Trozzi. -**Last updated:** 2026-04-18 (Howard) -**Related (different population):** `docs/cloud/caregiver-m365-p2-rollout.md` — caregiver phone rollout. +**Status:** List received from Meredith/John (2026-04-22) via staff-editor CSV. Ready for licensing + CA policy design. No license purchase or policy activation yet. +**Last updated:** 2026-04-22 (Howard) +**Source of truth:** `reports/cascades-staff-2026-04-22.csv` (70 people, 11 departments, access/outside/ALIS flagged per person) +**Related (different population):** `docs/cloud/caregiver-m365-p2-rollout.md` — caregiver phone rollout (overlaps with the 39 shift-staff rows in the CSV). ## Why this list is separate @@ -33,22 +34,58 @@ A staff member needs P2 if they match one or more: | Crystal Rodriguez | Sales Associate | Same as Megan — intake forms, home + cell access | Already a protected user | | Tamra Matthews | Move-In Coordinator | Same — intake forms | **Leaving in June 2026** — license can be re-harvested on exit. Value of buying P2 for ~2 months is a call for Meredith (short-term HIPAA coverage vs. one-off cost). | -### Awaiting from John Trozzi +### Full list received 2026-04-22 (via staff-editor CSV) -Per his 2026-04-17 email: "I will gather this information for you tomorrow." Expected additions likely include: -- Meredith Kuhn (Executive Director — CEO-equivalent, highest impersonation / PHI risk) -- Ashley Jensen (Assistant Executive Director) -- John Trozzi himself (Facilities/Maintenance Director — judgment call on PHI exposure) -- Lois Lane (Health Services Director — clinical data) -- Karen Rossini (Health Services Manager — clinical data) -- Britney Thompson (Memory Care Nurse — clinical data) -- Shelby Trozzi (Memory Care Director — clinical data) -- Christina DuPras (Resident Services Director) -- Christine Nyanzunda (Memory Care Admin Assistant) -- Susan Hicks (Life Enrichment Director — activity records may include PHI-adjacent data) -- Sharon Edwards (Life Enrichment Assistant) +The CSV encodes access posture per person with three columns: **Access** (D / P / D+P), **Outside Access** (Y/N — i.e. work from home / personal device), **ALIS** (Y/N — resident management system). -Don't presume — wait for John's actual reply before buying licenses. +**P2-needed office staff** (D+P, Outside=Y, ALIS=Y — meets criteria 2 and/or 3 above): + +| Department | Name | Title | +|---|---|---| +| Administrative | Meredith Kuhn | Executive Director | +| Administrative | Ashley Jensen | Assistant Executive Director | +| Administrative | Lauren Hasselman | Business Office Director | +| Marketing / Sales | Megan Hiatt | Sales Director (PHI — resident intake) | +| Marketing / Sales | Crystal Rodriguez | Sales Associate (PHI — resident intake) | +| Marketing / Sales | Tamra Matthews | Move-In Coordinator (PHI — **leaving June 2026, confirmed**) | +| AL Nursing | Lois Lane | Health Services Director | +| AL Nursing | Karen Rossini | Health Services Manager | +| AL Nursing | Veronica Feller | Care, AL Aide | +| Memory Care | Shelby Trozzi | Memory Care Director | +| Memory Care | Christine Nyanzunda | MC Admin Assistant | +| Resident Services | Christina DuPras | Resident Services Director | +| Life Enrichment | Susan Hicks | Life Enrichment Director | +| Life Enrichment | Alma R Montt | *(title blank in CSV — follow-up)* | +| Culinary | JD Martin | Culinary Director | +| Culinary | Alyssa Brooks | Dining Manager | +| Maintenance | John Trozzi | Facilities Director | +| Maintenance | Matt Brooks | MC Receptionist / Maintenance (dual-department) | +| Housekeeping | Lupe Sanchez | Housekeeping Director (aka Guadalupe Sanchez) | + +**Subtotal: 19 office-staff P2 licenses.** + +**Outside=N, ALIS=Y staff** (D+P, in-building only — criteria 1 may apply if they use a personal phone on-site): + +| Department | Name | Notes | +|---|---|---| +| Administrative | Allison Reibschied | Accounting Assistant | +| AL Nursing / none | — | — | +| Life Enrichment | Sharon Edwards | LE Assistant (Outside=N but ALIS=Y) | +| Culinary | Ramon Castaneda | Kitchen Manager (Outside=N, ALIS=N — actually no P2 need unless we go building-only-restrict-everyone) | + +Allison + Sharon are borderline — ALIS handling alone doesn't mandate P2, but if we go the "enforce building-only sign-in for anyone with ALIS access" route, they'd need P2 to carry the CA policy. Wait for the "restrict everyone or just some" decision before deciding. + +**Note on Britney Thompson:** Previously predicted as a likely P2 candidate, absent from the 2026-04-22 CSV return. **Confirmed 2026-04-22 (Howard) — still an employee; needs Desktop + possibly Phone access.** Treated as Office-PHI (external-OK) clinical staff for license math until Meredith specifies a different posture. Add to purchase count. + +**Note on Polett Pinazavala:** On the original 2026-04-18 caregiver roster, absent from the 2026-04-22 CSV return. **Confirmed 2026-04-22 (Howard) — still an employee; needs Desktop + possibly Phone.** Treated as Caregiver for license math (included in the caregiver rollout count, not in the office P2 count). + +**Shared-PC receptionists** (D only, no Outside, no ALIS): Cathy Kingston, Shontiel Nunn, Kyla Quick Tiffany, Michelle Shestko — four people on shared front-desk PCs. No individual P2 needed; their story is shared-account vs individual-account, not P2. + +**Courtesy Patrol** (D+P, no Outside, no ALIS): Sebastian Leon, Sheldon Gardfrey, Ray Rai — in-building only, no ALIS. No P2 need. + +**Drivers** (P only): Richard Adams, Julian Crim, Christopher Holick — phone-only access. Covered by the caregiver/mobile rollout if we treat them the same, otherwise simpler F-SKU / Exchange-Online-only licensing. + +**Caregivers** (39 rows including 2 "Reliable Agency" placeholders): covered by `docs/cloud/caregiver-m365-p2-rollout.md`, not this list. ## Decision still open (from Howard's 2026-04-16 email to leadership) @@ -68,17 +105,19 @@ No answer yet. This decision directly changes the license count and the CA polic | Scenario | Qty | Notes | |---|---|---| -| Confirmed today (Crystal, Megan, Tamra-through-June) | 3 | Crystal's reply | -| Likely additions from John + Meredith (guessed) | ~5–8 | Wait for actual reply | -| All staff (if "restrict everyone" decision) | ~23 | Equals the full post-cleanup licensed-user count from `docs/cloud/m365.md` | +| Confirmed P2-needed (Outside=Y + ALIS=Y office staff from CSV) | **19** | See table above | +| + Britney Thompson (confirmed 2026-04-22, CSV-omitted, clinical PHI) | **20** | Office-PHI tier | +| Add borderline (Outside=N + ALIS=Y: Allison + Sharon) | **22** | Only if we pick "restrict-everyone-with-ALIS" posture | +| All staff (if "restrict everyone" decision) | ~32 office + 40 caregivers (incl. Polett) | Full headcount including the two CSV-omitted returnees | ## Action items -- [ ] Follow up with John Trozzi on the gathering — he owes us the list -- [ ] Push Meredith for the "restrict everyone or just some" decision -- [ ] When list is final, decide: standalone P2 add-on OR move those users to Business Premium OR move the whole tenant to Business Premium (recommended) +- [x] ~~Follow up with John Trozzi on the gathering — he owes us the list~~ (received 2026-04-22 via CSV) +- [ ] Push Meredith for the "restrict everyone or just some" decision — still unanswered as of 2026-04-22 +- [ ] Resolve open CSV questions (see `clients/cascades-tucson/docs/cloud/cascades-staff-followup-2026-04-22.md`): Kyla Quick Tiffany spelling, Ederick Yuzon spelling, Christine Nyanzunda caregiver-overlap, Alma R Montt title, Britney Thompson status +- [ ] Decide: standalone P2 add-on for the 19 OR move those users to Business Premium OR move whole tenant to Business Premium (default recommendation: Premium tenant-wide) - [ ] Build CA policy `CSC - Office Staff PHI Access` separate from the caregiver mobile policy -- [ ] Remember to REMOVE Tamra's license + CA exclusion on her departure date (June 2026) +- [ ] Remember to REMOVE Tamra's license + CA exclusion on her departure date (June 2026 — confirmed) ## Related docs diff --git a/clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md b/clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md new file mode 100644 index 0000000..0f8fde1 --- /dev/null +++ b/clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md @@ -0,0 +1,196 @@ +# User Account Rollout Plan — Cascades of Tucson + +**Status:** Planning — no account creation or license assignment yet. +**Created:** 2026-04-22 (Howard) +**Inputs:** +- `reports/cascades-staff-2026-04-22.csv` — returned staff-editor questionnaire, 70 rows (source of truth for *who should exist* and *what access posture*) +- `docs/servers/active-directory.md` — current AD state (42 accounts, 40 enabled) +- `docs/cloud/caregiver-m365-p2-rollout.md` — caregiver identity/phone plan (39 caregivers) +- `docs/cloud/p2-staff-candidates.md` — P2 license sizing for the office-staff side +- `docs/cloud/m365.md` — current M365 tenant state + +## 1. Scope + +Build every person on the 2026-04-22 CSV into a consistent AD + M365 identity, licensed and policy-covered according to the **Access / Outside Access / ALIS** posture columns they returned. This plan covers the identity layer only — device/MDM work is already tracked in `caregiver-m365-p2-rollout.md` and the Intune rollout, and folder redirection continues under the existing GPO workstream. + +**Explicitly out of scope here:** +- Device enrollment (Intune flow already designed) +- Folder redirection GPO edits (separate workstream, already validated on DLTAGOI) +- M365 tenant licensing *purchase* decision (decision gated — see §10) + +## 2. Personas (derived from CSV access matrix) + +| Persona | Access | Outside | ALIS | Count | Examples | +|---|---|---|---|---|---| +| **Office-PHI (external-OK)** | D+P | Y | Y | 19 | Meredith, Megan, Lois, Susan, JD, John Trozzi, Lupe | +| **Office-PHI (in-building)** | D+P | N | Y | 2 | Allison Reibschied, Sharon Edwards | +| **Office non-PHI (in-building)** | D+P | N | N | 1 | Ramon Castaneda | +| **Courtesy Patrol** | D+P | N | N | 3 | Sebastian Leon, Sheldon Gardfrey, Ray Rai | +| **Shared-PC Reception** | D | N | N | 4 | Cathy, Shontiel, Kyla, Michelle | +| **Driver (phone-only)** | P | N | N | 3 | Richard Adams, Julian Crim, Christopher Holick | +| **Caregiver (shared-phone)** | D+P | N | Y | 37 | See caregiver-m365-p2-rollout.md | +| **Agency placeholder** | D+P | N | Y | 2 | "Reliable Agency 1/2" | + +(Totals: 71 including agency placeholders. Office: 29, Reception: 4, Drivers: 3, Caregivers: 37 + 2 agency = 39. One person — Christine Nyanzunda — sits in two personas: MC Admin + part-time MedTech, one account, caregiver-tier controls apply when on shift.) + +## 3. License mapping per persona + +**Guiding principles:** +1. Default to **Business Premium** tenant-wide (already the recommendation in `p2-staff-candidates.md` — bundles Intune + P2 + Defender + DLP). +2. Use **F3** only for phone-only users (drivers) where Premium is overkill and F3 covers Exchange/Teams needs. +3. Reception shared PCs get shared *mailboxes* for `Frontdesk@`, but each named receptionist gets her own licensed account so audits attribute individual actions. + +| Persona | License | Notes | +|---|---|---| +| Office-PHI (external-OK) | **Business Premium** | CA: compliant device OR trusted location | +| Office-PHI (in-building) | **Business Premium** | CA: trusted location only | +| Office non-PHI (in-building) | Business Standard (or Premium if tenant-wide) | CA: trusted location only if we go that route | +| Courtesy Patrol | Business Standard | Could be F3 if they don't need full desktop Office; confirm with Meredith | +| Shared-PC Reception | Business Standard | Frontdesk@ stays as shared mailbox, named accounts read it | +| Driver (phone-only) | **F3** | Phone-tier, no desktop install, Transportation@ shared mailbox | +| Caregiver | **Business Premium** | Per `caregiver-m365-p2-rollout.md` — P2 is load-bearing for shared-phone CA | +| Agency placeholder | Do not license | Create AD-only accounts if they need ALIS web login; otherwise omit | + +Expected license count at full rollout: +- Business Premium: 19 (office PHI ext) + 2 (office PHI int) + 37 caregivers = **58** +- Business Standard: 1 + 3 courtesy + 4 reception = **8** +- F3: 3 drivers = **3** + +Totals bracket the `p2-staff-candidates.md` estimate of ~61 Premium. If Meredith chooses "restrict everyone to building," it doesn't change this headline — it changes CA policy scope. + +## 4. AD OU + group layout (proposed) + +Current `cascades.local` OU layout is loose (see `docs/servers/active-directory.md`). Proposed structure to align with the persona matrix and folder-redirection GPOs already in place: + +``` +OU=Cascades Users +├── OU=Administrative +├── OU=Marketing (new name for existing Marketing dept) +├── OU=Care-AssistedLiving +├── OU=Care-MemoryCare +├── OU=ResidentServices +│ ├── OU=FrontDesk (reception shared-PC users) +│ └── OU=CourtesyPatrol +├── OU=LifeEnrichment +├── OU=Culinary +├── OU=Maintenance +├── OU=Housekeeping +├── OU=Transportation (drivers) +└── OU=Caregivers (all 37 shift staff) +``` + +**Security groups (AD-synced, Entra-usable):** +- `SG-Office-PHI-External` — 19 people, drives CA policy + Premium license group +- `SG-Office-PHI-Internal` — 2 people (Allison, Sharon) +- `SG-CourtesyPatrol` — 3 +- `SG-FrontDesk` — 4 +- `SG-Drivers` — 3 +- `SG-Caregivers` — 37 (already exists or needs creating — check against current `Cascades - Shared Phones` Entra group, which may already cover this) + +CA policies target groups, not OUs. OUs drive GPO inheritance (folder redirection, local policy) only. + +## 5. Conditional Access policy set + +One named CA policy per persona/posture to keep the decision tree flat: + +| Policy | Targets | Grant | +|---|---|---| +| `CSC - Office PHI External` | SG-Office-PHI-External | Require compliant device OR trusted location + MFA | +| `CSC - Office PHI Internal` | SG-Office-PHI-Internal | Block except from trusted location | +| `CSC - FrontDesk Building-Only` | SG-FrontDesk | Block except from trusted location | +| `CSC - Courtesy Patrol Building-Only` | SG-CourtesyPatrol | Block except from trusted location | +| `CSC - Drivers Phone-Only` | SG-Drivers | Require compliant Intune-managed phone; no web fallback | +| `CSC - Caregivers Shared Phone` | SG-Caregivers | Already designed per `caregiver-m365-p2-rollout.md` | + +**Named location "Cascades Building":** Define once, reuse. Use the site's public IP range(s) from pfSense NAT (`clients/cascades-tucson/pfsense-firewall.sops.yaml`). + +## 6. Pre-flight reconciliation (CSV vs current AD) + +These must be resolved before creating or converting accounts. See also `cascades-staff-followup-2026-04-22.md`. + +| Discrepancy | Status | Action | +|---|---|---| +| **Britney Thompson** — in AD (enabled, Memory Care Nurse), NOT on returned CSV | **Resolved 2026-04-22 (Howard) — still employed. Desktop + maybe Phone.** | Keep existing AD account. Treat as Office-PHI / clinical (D+P, ALIS=Y). Confirm phone tier and Outside posture with Meredith. | +| **Polett Pinazavala** — on 2026-04-18 caregiver roster, NOT on returned CSV | **Resolved 2026-04-22 (Howard) — still employed. Desktop + maybe Phone.** | Keep on caregiver roster. Include in Wave 3 caregiver account creation. Confirm phone tier with Meredith. | +| **Christine Nyanzunda** — one person, MC Admin + part-time Sun/Mon MedTech | **Confirmed 2026-04-22 (Howard) — one person, one account.** | One account in `OU=Care-MemoryCare`. Office-PHI CA policy as primary; verify shared-phone sign-in works within that envelope before caregiver-CA change is considered. | +| **Alma R Montt** — on CSV (Life Enrichment), NOT in AD, title blank | **Username assigned 2026-04-22 (Howard): `Alma.Montt`.** Title still pending Meredith. | Create AD account at `Alma.Montt` (UPN `alma.montt@cascadestucson.com`). Populate title once Meredith answers. | +| **Kyla Quick Tiffany** — on CSV and in AD "needs account" list | **Username assigned 2026-04-22 (Howard, per Kyla's preference): `Kyla.QuickTiffany`** — last name treated as a single word. | Create AD account at `Kyla.QuickTiffany` (UPN `kyla.quicktiffany@cascadestucson.com`). Persona: Shared-PC Reception. | +| **Ederick Yuzon** — spelling not confirmed | Still pending Meredith. | Block on creation; use `Ederick.Yuzon` tentatively if Meredith confirms. | +| **Matt Brooks** — AD dept = Maintenance, CSV note "works in both departments" | Confirmed (CSV-inline). | Keep in Maintenance OU; add to secondary MC group for access overlap. | +| **37 caregivers** — on CSV, none in AD | Unchanged. | Create all 37 AD accounts (+ M365) in Wave 3. | +| **2 agency placeholders** — on CSV, not in AD | Unchanged. | Decide with Meredith: real accounts or ALIS-only? | +| **Generic AD accounts** (`Culinary`, `RECEPTIONIST`, `saleshare`, `directoryshare`) | Unchanged. | Phase 5 cleanup after named-account coverage. | + +**Username convention for new accounts:** TitleCase `First.Last` (e.g., `Alma.Montt`, `Kyla.QuickTiffany`). Existing lowercase exceptions in AD (`britney.thompson`, `karen.rossini`, `lauren.hasselman`) are the known legacy cases — leave as-is, don't rename. All net-new accounts follow TitleCase. + +## 7. Rollout sequence + +### Wave 0 — Pre-flight (blocks waves 1+) +- Get answers to the 5 follow-up questions (Kyla/Ederick/Christine/Alma/Britney) + the "restrict-everyone or selective" policy decision from Meredith +- Close Polett Pinazavala discrepancy +- Final license decision (Business Premium tenant-wide vs. mixed) +- Purchase license count locked in + +### Wave 1 — New office accounts (low blast radius) +- Create AD + M365 for Alma R Montt and Kyla Quick Tiffany (the only new office/reception accounts the CSV produces) +- Validate group membership + CA policy assignment on these two before touching anyone else +- Pilot the `CSC - FrontDesk Building-Only` policy with Kyla + +### Wave 2 — Existing office accounts, reassignment only +- Move existing users into new OU layout (no identity changes, just OU move + group membership) +- Attach each to the correct `SG-*` group based on CSV persona +- CA policies begin applying; watch for sign-in failures + +### Wave 3 — Caregiver bulk creation +- Execute `caregiver-m365-p2-rollout.md` rollout — 37 AD + M365 accounts, SG-Caregivers, shared-phone CA +- Already designed; this plan just sequences it after office wave + +### Wave 4 — Cleanup +- Disable/remove `Culinary`, `RECEPTIONIST`, `saleshare`, `directoryshare` generics once their functions are covered by named accounts + shared mailboxes +- Disable departed accounts (Britney pending answer, Tamra on departure June 2026) +- Rotate `krbtgt` password (noted stale in AD doc — overdue) + +## 8. Account creation template (per new user) + +Applies to Wave 1 + Wave 3 (and any future hire). Precise script will be built later; plan-level checklist: + +1. AD account: `First.Last` (consistent with existing convention; note lowercase exceptions for Britney, Karen, Lauren — new accounts use TitleCase) +2. UPN: `first.last@cascadestucson.com` +3. Password: auto-generated, stored in vault (`clients/cascades-tucson/new-user-.sops.yaml`), delivered to Meredith via 1Password share +4. OU placement per persona +5. Group membership: department-appropriate `SG-*` +6. M365 license assignment (group-based if feasible) +7. Mailbox creation (Exchange Online) +8. ALIS account provisioning (separate system — Meredith/Lois handle) +9. MFA registration — push to user first login +10. Confirmation email to Meredith with username + password-share link + +## 9. Dependencies on other workstreams + +- **Folder redirection GPO rollout** (`CONTEXT.md` §48) — when we move users to new OUs, make sure the FR GPOs are re-linked to the new OU or stay linked to parent `OU=Cascades Users`. Test on one mover before batch. +- **Intune phone rollout** (`PROJECT_STATE.md`) — caregiver accounts must exist before Wave 3 of phone deployment (24 remaining Samsung A15s). Identity-first, device-second. +- **Business Premium purchase proposal** (`docs/proposals/m365-premium-upgrade.md`) — blocks wave 1 if Meredith hasn't approved license spend. + +## 10. Open decisions blocking the rollout + +1. **"Restrict everyone to building" vs. selective** — Meredith, outstanding since 2026-04-16. Determines CA scope. +2. **Business Premium tenant-wide vs. mixed SKUs** — Meredith, tied to the upgrade proposal. +3. **Ederick Yuzon spelling** — Meredith/John, in the 2026-04-22 follow-up email. +4. **Alma R Montt title** — Meredith/John, in the follow-up email. +5. **Britney phone + Outside posture** — Meredith (employment confirmed by Howard; access tier still TBD). +6. **Polett phone + Outside posture** — Meredith (employment confirmed by Howard; access tier still TBD). +7. **Agency placeholder accounts — real or ALIS-only?** — Meredith. +8. **Drivers: F3 or Business Standard?** — Meredith (cost vs. Office install need). + +**Resolved 2026-04-22 (Howard):** Christine Nyanzunda = one person, one account. Kyla = `Kyla.QuickTiffany` (her preference). Alma = `Alma.Montt`. Britney + Polett both still employed. + +## 11. Related docs + +- `reports/cascades-staff-2026-04-22.csv` +- `docs/cloud/cascades-staff-followup-2026-04-22.md` +- `docs/cloud/p2-staff-candidates.md` +- `docs/cloud/caregiver-m365-p2-rollout.md` +- `docs/cloud/m365.md` +- `docs/servers/active-directory.md` +- `docs/proposals/m365-premium-upgrade.md` +- `docs/security/hipaa.md` diff --git a/clients/cascades-tucson/reports/cascades-staff-2026-04-22.csv b/clients/cascades-tucson/reports/cascades-staff-2026-04-22.csv new file mode 100644 index 0000000..e292767 --- /dev/null +++ b/clients/cascades-tucson/reports/cascades-staff-2026-04-22.csv @@ -0,0 +1,72 @@ +Department,Name,Title / Role,Access,Outside Access,ALIS,Notes +Administrative,Meredith Kuhn,Executive Director,D+P,Y,Y, +Administrative,Ashley Jensen,Assistant Executive Director,D+P,Y,Y, +Administrative,Lauren Hasselman,Business Office Director,D+P,Y,Y, +Administrative,Allison Reibschied,Accounting Assistant,D+P,N,Y, +Marketing / Sales,Megan Hiatt,Sales Director,D+P,Y,Y,Handles resident intake (PHI) +Marketing / Sales,Crystal Rodriguez,Sales Associate,D+P,Y,Y,Handles resident intake (PHI) +Marketing / Sales,Tamra Matthews,Move-In Coordinator,D+P,Y,Y,Leaving June 2026 — confirm yes +"Care, Assisted Living (Nursing / Clinical)",Lois Lane,Health Services Director,D+P,Y,Y, +"Care, Assisted Living (Nursing / Clinical)",Karen Rossini,Health Services Manager,D+P,Y,Y, +"Care, Assisted Living (Nursing / Clinical)",Veronica Feller,"Care, Assisted Living Aide",D+P,Y,Y, +"Care, Memory Care",Shelby Trozzi,Memory Care Director,D+P,Y,Y, +"Care, Memory Care",Christine Nyanzunda,Memory Care Admin Assistant,D+P,Y,Y,Also on caregiver list — same person? +Resident Services,Christina DuPras,Resident Services Director,D+P,Y,Y, +Resident Services,Cathy Kingston,Receptionist,D,N,N,Front desk shared PC +Resident Services,Shontiel Nunn,Receptionist,D,N,N,Front desk shared PC +Resident Services,Kyla Quick Tiffany,Receptionist,D,N,N,"Is the spelling correct? Three separate names, or is it 'Quick-Tiffany' with a hyphen?" +Resident Services,Michelle Shestko,MC Receptionist,D,N,N,MC front desk shared PC +Resident Services,Sebastian Leon,Courtesy Patrol,D+P,N,N, +Resident Services,Sheldon Gardfrey,Courtesy Patrol,D+P,N,N, +Resident Services,Ray Rai,Courtesy Patrol,D+P,N,N, +Life Enrichment,Susan Hicks,Life Enrichment Director,D+P,Y,Y, +Life Enrichment,Sharon Edwards,Life Enrichment Assistant,D+P,N,Y, +Life Enrichment,Alma R Montt,,D+P,Y,Y, +Culinary,JD Martin,Culinary Director,D+P,Y,Y, +Culinary,Ramon Castaneda,Kitchen Manager,D+P,N,N, +Culinary,Alyssa Brooks,Dining Manager,D+P,Y,Y, +Maintenance,John Trozzi,Facilities Director,D+P,Y,Y, +Maintenance,Matt Brooks,Memory Care Receptionist,D+P,N,Y,HR says Maintenance — which is correct? he works in both departments +Housekeeping,Lupe Sanchez,Housekeeping Director,D+P,Y,Y,AKA Guadalupe Sanchez +Transportation,Richard Adams,Driver,P,N,N, +Transportation,Julian Crim,Driver,P,N,N, +Transportation,Christopher Holick,Driver,P,N,N, +Caregivers (shift staff),Thelma Abainza,Caregiver — Tower (Tue–Sat),D+P,N,Y, +Caregivers (shift staff),Niel Castro,MedTech / CCG — Tower (Tue–Sat),D+P,N,Y, +Caregivers (shift staff),Espe Esperance,MedTech — Tower (Tue–Sat),D+P,N,Y, +Caregivers (shift staff),Barbara Johnson,Caregiver — Tower (Tue–Sat),D+P,N,Y, +Caregivers (shift staff),Kasey Flores,Caregiver — Memory Care (Tue–Sat),D+P,N,Y, +Caregivers (shift staff),Richard Flores,Caregiver — Memory Care (Tue–Sat),D+P,N,Y, +Caregivers (shift staff),Marie Kastner,Caregiver — Memory Care (Tue–Sat),D+P,N,Y, +Caregivers (shift staff),Bella Mendoza,Caregiver — Memory Care (Tue–Sat),D+P,N,Y, +Caregivers (shift staff),Rosa Morales,MedTech — Memory Care (Tue–Sat),D+P,N,Y, +Caregivers (shift staff),Sandra Padilla,MedTech / CCG — Tower (Tue–Sat),D+P,N,Y, +Caregivers (shift staff),Whisper Reed,MedTech — Tower overnight (Tue–Sat),D+P,N,Y, +Caregivers (shift staff),Patricia Sandoval-Beck,MedTech — Tower (Tue–Sat),D+P,N,Y,Hyphenated last name — correct? correct +Caregivers (shift staff),Charity Sika,Caregiver — Memory Care (Tue–Sat),D+P,N,Y, +Caregivers (shift staff),Ederick Yuzon,Caregiver — Tower (Tue–Sat),D+P,N,Y,Confirm spelling +Caregivers (shift staff),Juan Andrade,Caregiver — Memory Care (Sun–Thu),D+P,N,Y, +Caregivers (shift staff),Jahmeka Clarke,MedTech — Memory Care (Sun–Thu),D+P,N,Y, +Caregivers (shift staff),Karina Aziakpo,MedTech / CCG — MC overnight (Sun–Thu),D+P,N,Y, +Caregivers (shift staff),Jinnelle Dittbenner,Caregiver — Tower (Sun–Thu),D+P,N,Y, +Caregivers (shift staff),Agnes McFerren,Caregiver — Tower (Sun–Thu),D+P,N,Y, +Caregivers (shift staff),Samuel Ramirez,Caregiver — Tower (Sun–Thu),D+P,N,Y, +Caregivers (shift staff),Erica Sanchez,Caregiver — Memory Care (Sun–Thu),D+P,N,Y, +Caregivers (shift staff),Katrina Wyzykowski,MedTech — Memory Care (Sun–Thu),D+P,N,Y, +Caregivers (shift staff),Corey Tate,Caregiver — Tower NOC (Sun–Thu),D+P,N,Y, +Caregivers (shift staff),Ashli Atwood,MedTech / CCG — MC overnight (Fri–Mon),D+P,N,Y, +Caregivers (shift staff),Cole Johnson,MedTech — Tower (Fri–Mon),D+P,N,Y, +Caregivers (shift staff),Roseline Cooper,Caregiver — MC overnight (Fri–Mon),D+P,N,Y, +Caregivers (shift staff),Monique Lopez,Caregiver — Tower Fri+Sat doubles,D+P,N,Y, +Caregivers (shift staff),Gloria Williford,MedTech — MC Fri+Sat doubles,D+P,N,Y, +Caregivers (shift staff),Sarah Carroll,Caregiver — Tower (Thu–Mon),D+P,N,Y, +Caregivers (shift staff),Luke Hogan,Caregiver — Tower (Thu–Mon),D+P,N,Y, +Caregivers (shift staff),Gina Williams,Caregiver — Tower (Thu–Mon),D+P,N,Y, +Caregivers (shift staff),Jen Higdon,Caregiver — Tower M/W/F AM,D+P,N,Y, +Caregivers (shift staff),Mary Kariuki,Caregiver — Tower Sat–Mon + Wed PM,D+P,N,Y, +Caregivers (shift staff),CeCe Lassey,Caregiver — Tower Sun/Mon doubles + Tue PM,D+P,N,Y, +Caregivers (shift staff),Paty Doran,MedTech / CCG — Tower Sun/Mon only,D+P,N,Y,"Paty, Patti, or Patricia? Patricia Camarena Doran" +Caregivers (shift staff),Ezekiel Huerta,Caregiver PRN — Tower,D+P,N,Y, +Caregivers (shift staff),Maia Baker,MedTech PRN — Memory Care,D+P,N,Y,Is she still employed? part time +Caregivers (shift staff),Reliable Agency 1,,D+P,N,Y, +Caregivers (shift staff),Reliable Agency 2,,D+P,N,Y, \ No newline at end of file diff --git a/clients/cascades-tucson/session-logs/2026-04-22-howard-staff-csv-ingest-and-user-rollout-plan.md b/clients/cascades-tucson/session-logs/2026-04-22-howard-staff-csv-ingest-and-user-rollout-plan.md new file mode 100644 index 0000000..8ac69e4 --- /dev/null +++ b/clients/cascades-tucson/session-logs/2026-04-22-howard-staff-csv-ingest-and-user-rollout-plan.md @@ -0,0 +1,108 @@ +# 2026-04-22 — Cascades staff CSV ingest + AD/M365 user rollout plan + +## User +- **User:** Howard Enos (howard) +- **Machine:** HOWARD-HOME +- **Role:** tech + +## Session Summary + +Meredith Kuhn and John Trozzi returned the staff-editor questionnaire that Howard sent 2026-04-18. CSV saved to `C:\Users\Howard\Documents\cascades-staff-2026-04-22-1434.csv`. This session ingested that CSV into the repo, updated the P2 license candidate doc with the real list, drafted a follow-up email for the remaining open items, and wrote the full AD + M365 user-setup rollout plan. + +Howard then answered several of the open items live: +- **Britney Thompson** — still employed. Needs desktop access and possibly phone. Keep her AD account; treat as Office-PHI clinical for license math until Meredith specifies posture. +- **Polett Pinazavala** — still employed. Same treatment as Britney; she stays on the caregiver roster. +- **Christine Nyanzunda** — one person with two roles (MC Admin + part-time Sun/Mon MedTech), one account. +- **Alma R Montt** — username `Alma.Montt`. Title still pending Meredith. +- **Kyla Quick Tiffany** — username `Kyla.QuickTiffany` (Kyla's own preference — last name as one word). Treated as a Shared-PC Reception user. +- **Naming convention:** All NEW accounts follow TitleCase `First.Last`. The lowercase exceptions in AD (`britney.thompson`, `karen.rossini`, `lauren.hasselman`) are the only known legacy cases — leave as-is, don't rename. + +Howard will edit the follow-up email himself and send from his desktop, then return the sent copy. + +## Key Decisions + +1. **CSV placement:** `clients/cascades-tucson/reports/cascades-staff-2026-04-22.csv` (Howard's choice). +2. **Persona model:** Eight personas derived from CSV columns (Access / Outside / ALIS). See §2 of the rollout plan. +3. **License default:** Business Premium tenant-wide, with F3 only for the 3 drivers and Business Standard fallback for non-PHI office roles if tenant-wide Premium isn't approved. +4. **Rollout waves:** W0 pre-flight → W1 new office accounts (Alma, Kyla) → W2 existing office reassignment → W3 caregiver bulk creation → W4 generics cleanup. +5. **Britney on license list:** Office-PHI tier by default given clinical role, until Meredith provides a different posture call. Bumps office P2 count 19 → 20. + +## Problems Encountered / Deltas Found + +- **Britney Thompson** — active in AD but absent from the CSV return. Resolved live: still employed. +- **Polett Pinazavala** — on 2026-04-18 caregiver roster, absent from CSV. Resolved live: still employed. +- **37 caregivers** have no individual AD accounts today (verified against `docs/servers/active-directory.md`). Wave 3 creates all 37. +- **Agency placeholders (2 rows)** need a decision on whether they become real accounts or ALIS-web-only logins. Deferred to Meredith. + +## Credentials / Secrets + +None handled or discovered this session. No vault reads. No credentials in any of the created docs. + +## Infrastructure / Servers Referenced + +- CS-SERVER (`192.168.2.254`) — primary DC for `cascades.local`, only DC, all FSMO roles. Source of truth for current AD state. +- M365 tenant: `cascadestucson.com`, tenant ID `207fa277-e9d8-4eb7-ada1-1064d2221498`. +- GuruRMM: Cascades client `42e1b0e3-f8b7-4fc5-86bd-06bdbb073b7f`, site `c157c399-82d3-4581-979a-b9fad70f4fef` (unchanged). +- Entra group `Cascades - Shared Phones` (existing, dynamic — drives Intune phone rollout; possibly overlaps with the proposed `SG-Caregivers` AD-sync group). + +No infrastructure changes made. Plan-level only. + +## Files Created + +| Path | Purpose | +|---|---| +| `clients/cascades-tucson/reports/cascades-staff-2026-04-22.csv` | Meredith/John's returned staff-editor CSV, 70 rows. Source of truth for who should exist and with what access posture. | +| `clients/cascades-tucson/docs/cloud/cascades-staff-followup-2026-04-22.md` | Draft email to Meredith/John with 6 open questions (Kyla, Ederick, Christine, Alma, Britney, Polett) plus the pending "restrict everyone or selective" decision. Howard will edit and send. | +| `clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md` | Full AD/M365 rollout plan: 8 personas, license mapping, OU/group layout, CA policy set, pre-flight reconciliation, 4-wave rollout sequence, 8 open decisions. | + +## Files Modified + +| Path | Change | +|---|---| +| `clients/cascades-tucson/docs/cloud/p2-staff-candidates.md` | Replaced "Awaiting from John Trozzi" section with real persona tables from CSV. Added Britney + Polett notes (still employed, confirmed live). Updated license math: 19 office P2 → 20 with Britney. Closed "follow up with John" action item. | + +## Commands Run + +- `cp "/c/Users/Howard/Documents/cascades-staff-2026-04-22-1434.csv" "clients/cascades-tucson/reports/cascades-staff-2026-04-22.csv"` — CSV ingest. +- Various `git status`, `git log`, `git show` for context. +- Read operations across `clients/cascades-tucson/docs/cloud/` and `docs/servers/active-directory.md` for cross-reference. + +No destructive commands. No database, no credential, no network changes. + +## Pending / Next Steps + +### Blocked on Meredith / John (in the follow-up email) + +1. "Restrict everyone to building" vs. selective — outstanding since 2026-04-16. +2. Business Premium tenant-wide vs. mixed SKUs — tied to upgrade proposal. +3. Ederick Yuzon spelling. +4. Alma R Montt title. +5. Britney Thompson access posture (phone? Outside?). +6. Polett Pinazavala access posture (phone? Outside?). +7. Agency placeholders — real accounts or ALIS-only? +8. Drivers — F3 or Business Standard? + +### Waiting for Howard + +- Edit and send the follow-up email from `cascades-staff-followup-2026-04-22.md`. Return the final version so it's in the repo as the actual sent copy. + +### Ready to execute once answers come back + +- Wave 1 account creation: `Alma.Montt`, `Kyla.QuickTiffany` +- Britney Thompson: confirm and apply persona tags +- Wave 3 caregiver bulk creation: 37 accounts (includes Polett) + +## Reference + +- Rollout plan: `clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md` +- P2 candidates (updated): `clients/cascades-tucson/docs/cloud/p2-staff-candidates.md` +- Caregiver-side plan (cross-reference): `clients/cascades-tucson/docs/cloud/caregiver-m365-p2-rollout.md` +- AD state: `clients/cascades-tucson/docs/servers/active-directory.md` +- Source CSV: `clients/cascades-tucson/reports/cascades-staff-2026-04-22.csv` +- Follow-up email draft: `clients/cascades-tucson/docs/cloud/cascades-staff-followup-2026-04-22.md` + +## Note for Mike + +Cascades user rollout design is done at the plan level — 8 personas, license math, OU/group layout, CA policy set, 4-wave sequence. Blocked on 7 decisions from Meredith (see §10 of the plan). No license spend or account creation yet. Your call at any point to change the tenant-wide Business Premium default if budget says otherwise. + +Also flagging: Britney Thompson was absent from Meredith's returned CSV but is still employed per Howard — worth you confirming with Meredith next time you see her, since the omission is a signal she may not be top-of-mind for the access-policy work. Same for Polett Pinazavala on the caregiver side.