azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

cascades: ingest staff CSV + AD/M365 user rollout plan

Browse Source 
Meredith/John returned the staff-editor questionnaire (70 people, 11
departments). CSV ingested to reports/; p2-staff-candidates.md updated
with real persona breakdown. Wrote full AD/M365 user rollout plan (8
personas, license mapping, OU/group layout, CA policies, 4-wave
sequence, 8 open decisions). Drafted follow-up email for remaining open
items — Howard will edit and send.

Britney Thompson and Polett Pinazavala confirmed still employed (were
absent from the CSV return). Christine Nyanzunda confirmed as one
person with two roles. Usernames locked for new accounts:
Alma.Montt, Kyla.QuickTiffany.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Howard Enos
2026-04-22 15:09:39 -07:00
parent 223dc861c2
commit c077d58372
5 changed files with 480 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
clients/cascades-tucson/docs/cloud/cascades-staff-followup-2026-04-22.md Normal file
View File

@@ -0,0 +1,41 @@
# Follow-up email — four open items from the staff list
**To:** Meredith Kuhn, John Trozzi (cc: Ashley Jensen)
**From:** Howard Enos — Computer Guru
**Date:** 2026-04-22
**Subject:** Got the staff list — thank you. Four small follow-ups before I set up accounts.
---
Meredith / John,
Thank you for sending back the staff list — that's exactly what I needed and it's going straight into the account setup plan. Before I start creating M365 accounts and access policies, I want to confirm a few small things so I don't make the wrong call on any of them:
1. **Kyla Quick Tiffany** — is her last name three separate words (Quick Tiffany), hyphenated (Quick-Tiffany), or is one of those actually a middle name? I want the account to match whatever her ID / payroll uses.
2. **Ederick Yuzon** — just confirming the spelling of the first name. "Ederick" vs "Edrick" vs something else?
3. **Christine Nyanzunda (Memory Care Admin Assistant)** — I originally had her on the caregiver shift-staff list as well. The staff list you sent back only has her once, under Memory Care admin. Can you confirm she's one person with one account, not two? (Account-wise it matters because the admin and caregiver tiers get different licenses and phone access.)
4. **Alma R Montt (Life Enrichment)** — the title field on her row came back blank. What's her actual title / role so I can put it on the account?
5. **Britney Thompson** — she's in Active Directory today as a Memory Care Nurse with a real account, but she's not on the list you sent back. Did she leave, is she part-time / on leave, or should she still be there? If she's gone I'll disable the account (and recover the license).
6. **Polett Pinazavala** — I had her on my caregiver roster (AM, Memory Care, MedTech) from earlier notes, and she's not on the returned list either. Same question — did she leave?
One related decision I still need from you when you have a minute:
> Do you want **all staff restricted to signing in only from the building**, or just certain roles (e.g. front desk / kitchen / clinical)?
The staff list confirms who's on D+P vs. D-only vs. P-only, but "restrict everyone to the building" vs. "only restrict some" changes the license count (it roughly doubles the P2-equivalent licenses we'd buy) and the Conditional Access policy design. Either answer is fine — I just need the call.
No rush. Whichever of you can reply fastest on the five spellings/titles will unblock me; the building-vs-selective question can wait another day or two if you want to think about it.
Thank you —
Howard
---
*Draft — prepared 2026-04-22 after processing the staff-editor CSV return.*
*Related: `reports/cascades-staff-2026-04-22.csv`, `docs/cloud/p2-staff-candidates.md`.*

87
clients/cascades-tucson/docs/cloud/p2-staff-candidates.md
View File

@@ -1,8 +1,9 @@
# Staff Entra P2 Candidates — Cascades
**Status:** Documentation only — no license purchase or policy activation yet. Awaiting full list from John Trozzi.
**Last updated:** 2026-04-18 (Howard)
**Related (different population):** `docs/cloud/caregiver-m365-p2-rollout.md` — caregiver phone rollout.
**Status:** List received from Meredith/John (2026-04-22) via staff-editor CSV. Ready for licensing + CA policy design. No license purchase or policy activation yet.
**Last updated:** 2026-04-22 (Howard)
**Source of truth:** `reports/cascades-staff-2026-04-22.csv` (70 people, 11 departments, access/outside/ALIS flagged per person)
**Related (different population):** `docs/cloud/caregiver-m365-p2-rollout.md` — caregiver phone rollout (overlaps with the 39 shift-staff rows in the CSV).
## Why this list is separate
@@ -33,22 +34,58 @@ A staff member needs P2 if they match one or more:
| Crystal Rodriguez | Sales Associate | Same as Megan — intake forms, home + cell access | Already a protected user |
| Tamra Matthews | Move-In Coordinator | Same — intake forms | **Leaving in June 2026** — license can be re-harvested on exit. Value of buying P2 for ~2 months is a call for Meredith (short-term HIPAA coverage vs. one-off cost). |
### Awaiting from John Trozzi
### Full list received 2026-04-22 (via staff-editor CSV)
Per his 2026-04-17 email: "I will gather this information for you tomorrow." Expected additions likely include:
- Meredith Kuhn (Executive Director — CEO-equivalent, highest impersonation / PHI risk)
- Ashley Jensen (Assistant Executive Director)
- John Trozzi himself (Facilities/Maintenance Director — judgment call on PHI exposure)
- Lois Lane (Health Services Director — clinical data)
- Karen Rossini (Health Services Manager — clinical data)
- Britney Thompson (Memory Care Nurse — clinical data)
- Shelby Trozzi (Memory Care Director — clinical data)
- Christina DuPras (Resident Services Director)
- Christine Nyanzunda (Memory Care Admin Assistant)
- Susan Hicks (Life Enrichment Director — activity records may include PHI-adjacent data)
- Sharon Edwards (Life Enrichment Assistant)
The CSV encodes access posture per person with three columns: **Access** (D / P / D+P), **Outside Access** (Y/N — i.e. work from home / personal device), **ALIS** (Y/N — resident management system).
Don't presume — wait for John's actual reply before buying licenses.
**P2-needed office staff** (D+P, Outside=Y, ALIS=Y — meets criteria 2 and/or 3 above):
| Department | Name | Title |
|---|---|---|
| Administrative | Meredith Kuhn | Executive Director |
| Administrative | Ashley Jensen | Assistant Executive Director |
| Administrative | Lauren Hasselman | Business Office Director |
| Marketing / Sales | Megan Hiatt | Sales Director (PHI — resident intake) |
| Marketing / Sales | Crystal Rodriguez | Sales Associate (PHI — resident intake) |
| Marketing / Sales | Tamra Matthews | Move-In Coordinator (PHI — **leaving June 2026, confirmed**) |
| AL Nursing | Lois Lane | Health Services Director |
| AL Nursing | Karen Rossini | Health Services Manager |
| AL Nursing | Veronica Feller | Care, AL Aide |
| Memory Care | Shelby Trozzi | Memory Care Director |
| Memory Care | Christine Nyanzunda | MC Admin Assistant |
| Resident Services | Christina DuPras | Resident Services Director |
| Life Enrichment | Susan Hicks | Life Enrichment Director |
| Life Enrichment | Alma R Montt | *(title blank in CSV — follow-up)* |
| Culinary | JD Martin | Culinary Director |
| Culinary | Alyssa Brooks | Dining Manager |
| Maintenance | John Trozzi | Facilities Director |
| Maintenance | Matt Brooks | MC Receptionist / Maintenance (dual-department) |
| Housekeeping | Lupe Sanchez | Housekeeping Director (aka Guadalupe Sanchez) |
**Subtotal: 19 office-staff P2 licenses.**
**Outside=N, ALIS=Y staff** (D+P, in-building only — criteria 1 may apply if they use a personal phone on-site):
| Department | Name | Notes |
|---|---|---|
| Administrative | Allison Reibschied | Accounting Assistant |
| AL Nursing / none | — | — |
| Life Enrichment | Sharon Edwards | LE Assistant (Outside=N but ALIS=Y) |
| Culinary | Ramon Castaneda | Kitchen Manager (Outside=N, ALIS=N — actually no P2 need unless we go building-only-restrict-everyone) |
Allison + Sharon are borderline — ALIS handling alone doesn't mandate P2, but if we go the "enforce building-only sign-in for anyone with ALIS access" route, they'd need P2 to carry the CA policy. Wait for the "restrict everyone or just some" decision before deciding.
**Note on Britney Thompson:** Previously predicted as a likely P2 candidate, absent from the 2026-04-22 CSV return. **Confirmed 2026-04-22 (Howard) — still an employee; needs Desktop + possibly Phone access.** Treated as Office-PHI (external-OK) clinical staff for license math until Meredith specifies a different posture. Add to purchase count.
**Note on Polett Pinazavala:** On the original 2026-04-18 caregiver roster, absent from the 2026-04-22 CSV return. **Confirmed 2026-04-22 (Howard) — still an employee; needs Desktop + possibly Phone.** Treated as Caregiver for license math (included in the caregiver rollout count, not in the office P2 count).
**Shared-PC receptionists** (D only, no Outside, no ALIS): Cathy Kingston, Shontiel Nunn, Kyla Quick Tiffany, Michelle Shestko — four people on shared front-desk PCs. No individual P2 needed; their story is shared-account vs individual-account, not P2.
**Courtesy Patrol** (D+P, no Outside, no ALIS): Sebastian Leon, Sheldon Gardfrey, Ray Rai — in-building only, no ALIS. No P2 need.
**Drivers** (P only): Richard Adams, Julian Crim, Christopher Holick — phone-only access. Covered by the caregiver/mobile rollout if we treat them the same, otherwise simpler F-SKU / Exchange-Online-only licensing.
**Caregivers** (39 rows including 2 "Reliable Agency" placeholders): covered by `docs/cloud/caregiver-m365-p2-rollout.md`, not this list.
## Decision still open (from Howard's 2026-04-16 email to leadership)
@@ -68,17 +105,19 @@ No answer yet. This decision directly changes the license count and the CA polic
| Scenario | Qty | Notes |
|---|---|---|
| Confirmed today (Crystal, Megan, Tamra-through-June) | 3 | Crystal's reply |
| Likely additions from John + Meredith (guessed) | ~58 | Wait for actual reply |
| All staff (if "restrict everyone" decision) | ~23 | Equals the full post-cleanup licensed-user count from `docs/cloud/m365.md` |
| Confirmed P2-needed (Outside=Y + ALIS=Y office staff from CSV) | **19** | See table above |
| + Britney Thompson (confirmed 2026-04-22, CSV-omitted, clinical PHI) | **20** | Office-PHI tier |
| Add borderline (Outside=N + ALIS=Y: Allison + Sharon) | **22** | Only if we pick "restrict-everyone-with-ALIS" posture |
| All staff (if "restrict everyone" decision) | ~32 office + 40 caregivers (incl. Polett) | Full headcount including the two CSV-omitted returnees |
## Action items
- [ ] Follow up with John Trozzi on the gathering — he owes us the list
- [ ] Push Meredith for the "restrict everyone or just some" decision
- [ ] When list is final, decide: standalone P2 add-on OR move those users to Business Premium OR move the whole tenant to Business Premium (recommended)
- [x] ~~Follow up with John Trozzi on the gathering — he owes us the list~~ (received 2026-04-22 via CSV)
- [ ] Push Meredith for the "restrict everyone or just some" decision — still unanswered as of 2026-04-22
- [ ] Resolve open CSV questions (see `clients/cascades-tucson/docs/cloud/cascades-staff-followup-2026-04-22.md`): Kyla Quick Tiffany spelling, Ederick Yuzon spelling, Christine Nyanzunda caregiver-overlap, Alma R Montt title, Britney Thompson status
- [ ] Decide: standalone P2 add-on for the 19 OR move those users to Business Premium OR move whole tenant to Business Premium (default recommendation: Premium tenant-wide)
- [ ] Build CA policy `CSC - Office Staff PHI Access` separate from the caregiver mobile policy
- [ ] Remember to REMOVE Tamra's license + CA exclusion on her departure date (June 2026)
- [ ] Remember to REMOVE Tamra's license + CA exclusion on her departure date (June 2026 — confirmed)
## Related docs

196
clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md Normal file
View File

@@ -0,0 +1,196 @@
# User Account Rollout Plan — Cascades of Tucson
**Status:** Planning — no account creation or license assignment yet.
**Created:** 2026-04-22 (Howard)
**Inputs:**
- `reports/cascades-staff-2026-04-22.csv` — returned staff-editor questionnaire, 70 rows (source of truth for *who should exist* and *what access posture*)
- `docs/servers/active-directory.md` — current AD state (42 accounts, 40 enabled)
- `docs/cloud/caregiver-m365-p2-rollout.md` — caregiver identity/phone plan (39 caregivers)
- `docs/cloud/p2-staff-candidates.md` — P2 license sizing for the office-staff side
- `docs/cloud/m365.md` — current M365 tenant state
## 1. Scope
Build every person on the 2026-04-22 CSV into a consistent AD + M365 identity, licensed and policy-covered according to the **Access / Outside Access / ALIS** posture columns they returned. This plan covers the identity layer only — device/MDM work is already tracked in `caregiver-m365-p2-rollout.md` and the Intune rollout, and folder redirection continues under the existing GPO workstream.
**Explicitly out of scope here:**
- Device enrollment (Intune flow already designed)
- Folder redirection GPO edits (separate workstream, already validated on DLTAGOI)
- M365 tenant licensing *purchase* decision (decision gated — see §10)
## 2. Personas (derived from CSV access matrix)
| Persona | Access | Outside | ALIS | Count | Examples |
|---|---|---|---|---|---|
| **Office-PHI (external-OK)** | D+P | Y | Y | 19 | Meredith, Megan, Lois, Susan, JD, John Trozzi, Lupe |
| **Office-PHI (in-building)** | D+P | N | Y | 2 | Allison Reibschied, Sharon Edwards |
| **Office non-PHI (in-building)** | D+P | N | N | 1 | Ramon Castaneda |
| **Courtesy Patrol** | D+P | N | N | 3 | Sebastian Leon, Sheldon Gardfrey, Ray Rai |
| **Shared-PC Reception** | D | N | N | 4 | Cathy, Shontiel, Kyla, Michelle |
| **Driver (phone-only)** | P | N | N | 3 | Richard Adams, Julian Crim, Christopher Holick |
| **Caregiver (shared-phone)** | D+P | N | Y | 37 | See caregiver-m365-p2-rollout.md |
| **Agency placeholder** | D+P | N | Y | 2 | "Reliable Agency 1/2" |
(Totals: 71 including agency placeholders. Office: 29, Reception: 4, Drivers: 3, Caregivers: 37 + 2 agency = 39. One person — Christine Nyanzunda — sits in two personas: MC Admin + part-time MedTech, one account, caregiver-tier controls apply when on shift.)
## 3. License mapping per persona
**Guiding principles:**
1. Default to **Business Premium** tenant-wide (already the recommendation in `p2-staff-candidates.md` — bundles Intune + P2 + Defender + DLP).
2. Use **F3** only for phone-only users (drivers) where Premium is overkill and F3 covers Exchange/Teams needs.
3. Reception shared PCs get shared *mailboxes* for `Frontdesk@`, but each named receptionist gets her own licensed account so audits attribute individual actions.
| Persona | License | Notes |
|---|---|---|
| Office-PHI (external-OK) | **Business Premium** | CA: compliant device OR trusted location |
| Office-PHI (in-building) | **Business Premium** | CA: trusted location only |
| Office non-PHI (in-building) | Business Standard (or Premium if tenant-wide) | CA: trusted location only if we go that route |
| Courtesy Patrol | Business Standard | Could be F3 if they don't need full desktop Office; confirm with Meredith |
| Shared-PC Reception | Business Standard | Frontdesk@ stays as shared mailbox, named accounts read it |
| Driver (phone-only) | **F3** | Phone-tier, no desktop install, Transportation@ shared mailbox |
| Caregiver | **Business Premium** | Per `caregiver-m365-p2-rollout.md` — P2 is load-bearing for shared-phone CA |
| Agency placeholder | Do not license | Create AD-only accounts if they need ALIS web login; otherwise omit |
Expected license count at full rollout:
- Business Premium: 19 (office PHI ext) + 2 (office PHI int) + 37 caregivers = **58**
- Business Standard: 1 + 3 courtesy + 4 reception = **8**
- F3: 3 drivers = **3**
Totals bracket the `p2-staff-candidates.md` estimate of ~61 Premium. If Meredith chooses "restrict everyone to building," it doesn't change this headline — it changes CA policy scope.
## 4. AD OU + group layout (proposed)
Current `cascades.local` OU layout is loose (see `docs/servers/active-directory.md`). Proposed structure to align with the persona matrix and folder-redirection GPOs already in place:
```
OU=Cascades Users
├── OU=Administrative
├── OU=Marketing (new name for existing Marketing dept)
├── OU=Care-AssistedLiving
├── OU=Care-MemoryCare
├── OU=ResidentServices
│ ├── OU=FrontDesk (reception shared-PC users)
│ └── OU=CourtesyPatrol
├── OU=LifeEnrichment
├── OU=Culinary
├── OU=Maintenance
├── OU=Housekeeping
├── OU=Transportation (drivers)
└── OU=Caregivers (all 37 shift staff)
```
**Security groups (AD-synced, Entra-usable):**
- `SG-Office-PHI-External` — 19 people, drives CA policy + Premium license group
- `SG-Office-PHI-Internal` — 2 people (Allison, Sharon)
- `SG-CourtesyPatrol` — 3
- `SG-FrontDesk` — 4
- `SG-Drivers` — 3
- `SG-Caregivers` — 37 (already exists or needs creating — check against current `Cascades - Shared Phones` Entra group, which may already cover this)
CA policies target groups, not OUs. OUs drive GPO inheritance (folder redirection, local policy) only.
## 5. Conditional Access policy set
One named CA policy per persona/posture to keep the decision tree flat:
| Policy | Targets | Grant |
|---|---|---|
| `CSC - Office PHI External` | SG-Office-PHI-External | Require compliant device OR trusted location + MFA |
| `CSC - Office PHI Internal` | SG-Office-PHI-Internal | Block except from trusted location |
| `CSC - FrontDesk Building-Only` | SG-FrontDesk | Block except from trusted location |
| `CSC - Courtesy Patrol Building-Only` | SG-CourtesyPatrol | Block except from trusted location |
| `CSC - Drivers Phone-Only` | SG-Drivers | Require compliant Intune-managed phone; no web fallback |
| `CSC - Caregivers Shared Phone` | SG-Caregivers | Already designed per `caregiver-m365-p2-rollout.md` |
**Named location "Cascades Building":** Define once, reuse. Use the site's public IP range(s) from pfSense NAT (`clients/cascades-tucson/pfsense-firewall.sops.yaml`).
## 6. Pre-flight reconciliation (CSV vs current AD)
These must be resolved before creating or converting accounts. See also `cascades-staff-followup-2026-04-22.md`.
| Discrepancy | Status | Action |
|---|---|---|
| **Britney Thompson** — in AD (enabled, Memory Care Nurse), NOT on returned CSV | **Resolved 2026-04-22 (Howard) — still employed. Desktop + maybe Phone.** | Keep existing AD account. Treat as Office-PHI / clinical (D+P, ALIS=Y). Confirm phone tier and Outside posture with Meredith. |
| **Polett Pinazavala** — on 2026-04-18 caregiver roster, NOT on returned CSV | **Resolved 2026-04-22 (Howard) — still employed. Desktop + maybe Phone.** | Keep on caregiver roster. Include in Wave 3 caregiver account creation. Confirm phone tier with Meredith. |
| **Christine Nyanzunda** — one person, MC Admin + part-time Sun/Mon MedTech | **Confirmed 2026-04-22 (Howard) — one person, one account.** | One account in `OU=Care-MemoryCare`. Office-PHI CA policy as primary; verify shared-phone sign-in works within that envelope before caregiver-CA change is considered. |
| **Alma R Montt** — on CSV (Life Enrichment), NOT in AD, title blank | **Username assigned 2026-04-22 (Howard): `Alma.Montt`.** Title still pending Meredith. | Create AD account at `Alma.Montt` (UPN `alma.montt@cascadestucson.com`). Populate title once Meredith answers. |
| **Kyla Quick Tiffany** — on CSV and in AD "needs account" list | **Username assigned 2026-04-22 (Howard, per Kyla's preference): `Kyla.QuickTiffany`** — last name treated as a single word. | Create AD account at `Kyla.QuickTiffany` (UPN `kyla.quicktiffany@cascadestucson.com`). Persona: Shared-PC Reception. |
| **Ederick Yuzon** — spelling not confirmed | Still pending Meredith. | Block on creation; use `Ederick.Yuzon` tentatively if Meredith confirms. |
| **Matt Brooks** — AD dept = Maintenance, CSV note "works in both departments" | Confirmed (CSV-inline). | Keep in Maintenance OU; add to secondary MC group for access overlap. |
| **37 caregivers** — on CSV, none in AD | Unchanged. | Create all 37 AD accounts (+ M365) in Wave 3. |
| **2 agency placeholders** — on CSV, not in AD | Unchanged. | Decide with Meredith: real accounts or ALIS-only? |
| **Generic AD accounts** (`Culinary`, `RECEPTIONIST`, `saleshare`, `directoryshare`) | Unchanged. | Phase 5 cleanup after named-account coverage. |
**Username convention for new accounts:** TitleCase `First.Last` (e.g., `Alma.Montt`, `Kyla.QuickTiffany`). Existing lowercase exceptions in AD (`britney.thompson`, `karen.rossini`, `lauren.hasselman`) are the known legacy cases — leave as-is, don't rename. All net-new accounts follow TitleCase.
## 7. Rollout sequence
### Wave 0 — Pre-flight (blocks waves 1+)
- Get answers to the 5 follow-up questions (Kyla/Ederick/Christine/Alma/Britney) + the "restrict-everyone or selective" policy decision from Meredith
- Close Polett Pinazavala discrepancy
- Final license decision (Business Premium tenant-wide vs. mixed)
- Purchase license count locked in
### Wave 1 — New office accounts (low blast radius)
- Create AD + M365 for Alma R Montt and Kyla Quick Tiffany (the only new office/reception accounts the CSV produces)
- Validate group membership + CA policy assignment on these two before touching anyone else
- Pilot the `CSC - FrontDesk Building-Only` policy with Kyla
### Wave 2 — Existing office accounts, reassignment only
- Move existing users into new OU layout (no identity changes, just OU move + group membership)
- Attach each to the correct `SG-*` group based on CSV persona
- CA policies begin applying; watch for sign-in failures
### Wave 3 — Caregiver bulk creation
- Execute `caregiver-m365-p2-rollout.md` rollout — 37 AD + M365 accounts, SG-Caregivers, shared-phone CA
- Already designed; this plan just sequences it after office wave
### Wave 4 — Cleanup
- Disable/remove `Culinary`, `RECEPTIONIST`, `saleshare`, `directoryshare` generics once their functions are covered by named accounts + shared mailboxes
- Disable departed accounts (Britney pending answer, Tamra on departure June 2026)
- Rotate `krbtgt` password (noted stale in AD doc — overdue)
## 8. Account creation template (per new user)
Applies to Wave 1 + Wave 3 (and any future hire). Precise script will be built later; plan-level checklist:
1. AD account: `First.Last` (consistent with existing convention; note lowercase exceptions for Britney, Karen, Lauren — new accounts use TitleCase)
2. UPN: `first.last@cascadestucson.com`
3. Password: auto-generated, stored in vault (`clients/cascades-tucson/new-user-<name>.sops.yaml`), delivered to Meredith via 1Password share
4. OU placement per persona
5. Group membership: department-appropriate `SG-*`
6. M365 license assignment (group-based if feasible)
7. Mailbox creation (Exchange Online)
8. ALIS account provisioning (separate system — Meredith/Lois handle)
9. MFA registration — push to user first login
10. Confirmation email to Meredith with username + password-share link
## 9. Dependencies on other workstreams
- **Folder redirection GPO rollout** (`CONTEXT.md` §48) — when we move users to new OUs, make sure the FR GPOs are re-linked to the new OU or stay linked to parent `OU=Cascades Users`. Test on one mover before batch.
- **Intune phone rollout** (`PROJECT_STATE.md`) — caregiver accounts must exist before Wave 3 of phone deployment (24 remaining Samsung A15s). Identity-first, device-second.
- **Business Premium purchase proposal** (`docs/proposals/m365-premium-upgrade.md`) — blocks wave 1 if Meredith hasn't approved license spend.
## 10. Open decisions blocking the rollout
1. **"Restrict everyone to building" vs. selective** — Meredith, outstanding since 2026-04-16. Determines CA scope.
2. **Business Premium tenant-wide vs. mixed SKUs** — Meredith, tied to the upgrade proposal.
3. **Ederick Yuzon spelling** — Meredith/John, in the 2026-04-22 follow-up email.
4. **Alma R Montt title** — Meredith/John, in the follow-up email.
5. **Britney phone + Outside posture** — Meredith (employment confirmed by Howard; access tier still TBD).
6. **Polett phone + Outside posture** — Meredith (employment confirmed by Howard; access tier still TBD).
7. **Agency placeholder accounts — real or ALIS-only?** — Meredith.
8. **Drivers: F3 or Business Standard?** — Meredith (cost vs. Office install need).
**Resolved 2026-04-22 (Howard):** Christine Nyanzunda = one person, one account. Kyla = `Kyla.QuickTiffany` (her preference). Alma = `Alma.Montt`. Britney + Polett both still employed.
## 11. Related docs
- `reports/cascades-staff-2026-04-22.csv`
- `docs/cloud/cascades-staff-followup-2026-04-22.md`
- `docs/cloud/p2-staff-candidates.md`
- `docs/cloud/caregiver-m365-p2-rollout.md`
- `docs/cloud/m365.md`
- `docs/servers/active-directory.md`
- `docs/proposals/m365-premium-upgrade.md`
- `docs/security/hipaa.md`

72
clients/cascades-tucson/reports/cascades-staff-2026-04-22.csv Normal file
View File

@@ -0,0 +1,72 @@
Department,Name,Title / Role,Access,Outside Access,ALIS,Notes
Administrative,Meredith Kuhn,Executive Director,D+P,Y,Y,
Administrative,Ashley Jensen,Assistant Executive Director,D+P,Y,Y,
Administrative,Lauren Hasselman,Business Office Director,D+P,Y,Y,
Administrative,Allison Reibschied,Accounting Assistant,D+P,N,Y,
Marketing / Sales,Megan Hiatt,Sales Director,D+P,Y,Y,Handles resident intake (PHI)
Marketing / Sales,Crystal Rodriguez,Sales Associate,D+P,Y,Y,Handles resident intake (PHI)
Marketing / Sales,Tamra Matthews,Move-In Coordinator,D+P,Y,Y,Leaving June 2026 — confirm yes
"Care, Assisted Living (Nursing / Clinical)",Lois Lane,Health Services Director,D+P,Y,Y,
"Care, Assisted Living (Nursing / Clinical)",Karen Rossini,Health Services Manager,D+P,Y,Y,
"Care, Assisted Living (Nursing / Clinical)",Veronica Feller,"Care, Assisted Living Aide",D+P,Y,Y,
"Care, Memory Care",Shelby Trozzi,Memory Care Director,D+P,Y,Y,
"Care, Memory Care",Christine Nyanzunda,Memory Care Admin Assistant,D+P,Y,Y,Also on caregiver list — same person?
Resident Services,Christina DuPras,Resident Services Director,D+P,Y,Y,
Resident Services,Cathy Kingston,Receptionist,D,N,N,Front desk shared PC
Resident Services,Shontiel Nunn,Receptionist,D,N,N,Front desk shared PC
Resident Services,Kyla Quick Tiffany,Receptionist,D,N,N,"Is the spelling correct? Three separate names, or is it 'Quick-Tiffany' with a hyphen?"
Resident Services,Michelle Shestko,MC Receptionist,D,N,N,MC front desk shared PC
Resident Services,Sebastian Leon,Courtesy Patrol,D+P,N,N,
Resident Services,Sheldon Gardfrey,Courtesy Patrol,D+P,N,N,
Resident Services,Ray Rai,Courtesy Patrol,D+P,N,N,
Life Enrichment,Susan Hicks,Life Enrichment Director,D+P,Y,Y,
Life Enrichment,Sharon Edwards,Life Enrichment Assistant,D+P,N,Y,
Life Enrichment,Alma R Montt,,D+P,Y,Y,
Culinary,JD Martin,Culinary Director,D+P,Y,Y,
Culinary,Ramon Castaneda,Kitchen Manager,D+P,N,N,
Culinary,Alyssa Brooks,Dining Manager,D+P,Y,Y,
Maintenance,John Trozzi,Facilities Director,D+P,Y,Y,
Maintenance,Matt Brooks,Memory Care Receptionist,D+P,N,Y,HR says Maintenance — which is correct? he works in both departments
Housekeeping,Lupe Sanchez,Housekeeping Director,D+P,Y,Y,AKA Guadalupe Sanchez
Transportation,Richard Adams,Driver,P,N,N,
Transportation,Julian Crim,Driver,P,N,N,
Transportation,Christopher Holick,Driver,P,N,N,
Caregivers (shift staff),Thelma Abainza,Caregiver — Tower (TueSat),D+P,N,Y,
Caregivers (shift staff),Niel Castro,MedTech / CCG — Tower (TueSat),D+P,N,Y,
Caregivers (shift staff),Espe Esperance,MedTech — Tower (TueSat),D+P,N,Y,
Caregivers (shift staff),Barbara Johnson,Caregiver — Tower (TueSat),D+P,N,Y,
Caregivers (shift staff),Kasey Flores,Caregiver — Memory Care (TueSat),D+P,N,Y,
Caregivers (shift staff),Richard Flores,Caregiver — Memory Care (TueSat),D+P,N,Y,
Caregivers (shift staff),Marie Kastner,Caregiver — Memory Care (TueSat),D+P,N,Y,
Caregivers (shift staff),Bella Mendoza,Caregiver — Memory Care (TueSat),D+P,N,Y,
Caregivers (shift staff),Rosa Morales,MedTech — Memory Care (TueSat),D+P,N,Y,
Caregivers (shift staff),Sandra Padilla,MedTech / CCG — Tower (TueSat),D+P,N,Y,
Caregivers (shift staff),Whisper Reed,MedTech — Tower overnight (TueSat),D+P,N,Y,
Caregivers (shift staff),Patricia Sandoval-Beck,MedTech — Tower (TueSat),D+P,N,Y,Hyphenated last name — correct? correct
Caregivers (shift staff),Charity Sika,Caregiver — Memory Care (TueSat),D+P,N,Y,
Caregivers (shift staff),Ederick Yuzon,Caregiver — Tower (TueSat),D+P,N,Y,Confirm spelling
Caregivers (shift staff),Juan Andrade,Caregiver — Memory Care (SunThu),D+P,N,Y,
Caregivers (shift staff),Jahmeka Clarke,MedTech — Memory Care (SunThu),D+P,N,Y,
Caregivers (shift staff),Karina Aziakpo,MedTech / CCG — MC overnight (SunThu),D+P,N,Y,
Caregivers (shift staff),Jinnelle Dittbenner,Caregiver — Tower (SunThu),D+P,N,Y,
Caregivers (shift staff),Agnes McFerren,Caregiver — Tower (SunThu),D+P,N,Y,
Caregivers (shift staff),Samuel Ramirez,Caregiver — Tower (SunThu),D+P,N,Y,
Caregivers (shift staff),Erica Sanchez,Caregiver — Memory Care (SunThu),D+P,N,Y,
Caregivers (shift staff),Katrina Wyzykowski,MedTech — Memory Care (SunThu),D+P,N,Y,
Caregivers (shift staff),Corey Tate,Caregiver — Tower NOC (SunThu),D+P,N,Y,
Caregivers (shift staff),Ashli Atwood,MedTech / CCG — MC overnight (FriMon),D+P,N,Y,
Caregivers (shift staff),Cole Johnson,MedTech — Tower (FriMon),D+P,N,Y,
Caregivers (shift staff),Roseline Cooper,Caregiver — MC overnight (FriMon),D+P,N,Y,
Caregivers (shift staff),Monique Lopez,Caregiver — Tower Fri+Sat doubles,D+P,N,Y,
Caregivers (shift staff),Gloria Williford,MedTech — MC Fri+Sat doubles,D+P,N,Y,
Caregivers (shift staff),Sarah Carroll,Caregiver — Tower (ThuMon),D+P,N,Y,
Caregivers (shift staff),Luke Hogan,Caregiver — Tower (ThuMon),D+P,N,Y,
Caregivers (shift staff),Gina Williams,Caregiver — Tower (ThuMon),D+P,N,Y,
Caregivers (shift staff),Jen Higdon,Caregiver — Tower M/W/F AM,D+P,N,Y,
Caregivers (shift staff),Mary Kariuki,Caregiver — Tower SatMon + Wed PM,D+P,N,Y,
Caregivers (shift staff),CeCe Lassey,Caregiver — Tower Sun/Mon doubles + Tue PM,D+P,N,Y,
Caregivers (shift staff),Paty Doran,MedTech / CCG — Tower Sun/Mon only,D+P,N,Y,"Paty, Patti, or Patricia? Patricia Camarena Doran"
Caregivers (shift staff),Ezekiel Huerta,Caregiver PRN — Tower,D+P,N,Y,
Caregivers (shift staff),Maia Baker,MedTech PRN — Memory Care,D+P,N,Y,Is she still employed? part time
Caregivers (shift staff),Reliable Agency 1,,D+P,N,Y,
Caregivers (shift staff),Reliable Agency 2,,D+P,N,Y,
1 Department Name Title / Role Access Outside Access ALIS Notes
2 Administrative Meredith Kuhn Executive Director D+P Y Y
3 Administrative Ashley Jensen Assistant Executive Director D+P Y Y
4 Administrative Lauren Hasselman Business Office Director D+P Y Y
5 Administrative Allison Reibschied Accounting Assistant D+P N Y
6 Marketing / Sales Megan Hiatt Sales Director D+P Y Y Handles resident intake (PHI)
7 Marketing / Sales Crystal Rodriguez Sales Associate D+P Y Y Handles resident intake (PHI)
8 Marketing / Sales Tamra Matthews Move-In Coordinator D+P Y Y Leaving June 2026 — confirm yes
9 Care, Assisted Living (Nursing / Clinical) Lois Lane Health Services Director D+P Y Y
10 Care, Assisted Living (Nursing / Clinical) Karen Rossini Health Services Manager D+P Y Y
11 Care, Assisted Living (Nursing / Clinical) Veronica Feller Care, Assisted Living Aide D+P Y Y
12 Care, Memory Care Shelby Trozzi Memory Care Director D+P Y Y
13 Care, Memory Care Christine Nyanzunda Memory Care Admin Assistant D+P Y Y Also on caregiver list — same person?
14 Resident Services Christina DuPras Resident Services Director D+P Y Y
15 Resident Services Cathy Kingston Receptionist D N N Front desk shared PC
16 Resident Services Shontiel Nunn Receptionist D N N Front desk shared PC
17 Resident Services Kyla Quick Tiffany Receptionist D N N Is the spelling correct? Three separate names, or is it 'Quick-Tiffany' with a hyphen?
18 Resident Services Michelle Shestko MC Receptionist D N N MC front desk shared PC
19 Resident Services Sebastian Leon Courtesy Patrol D+P N N
20 Resident Services Sheldon Gardfrey Courtesy Patrol D+P N N
21 Resident Services Ray Rai Courtesy Patrol D+P N N
22 Life Enrichment Susan Hicks Life Enrichment Director D+P Y Y
23 Life Enrichment Sharon Edwards Life Enrichment Assistant D+P N Y
24 Life Enrichment Alma R Montt D+P Y Y
25 Culinary JD Martin Culinary Director D+P Y Y
26 Culinary Ramon Castaneda Kitchen Manager D+P N N
27 Culinary Alyssa Brooks Dining Manager D+P Y Y
28 Maintenance John Trozzi Facilities Director D+P Y Y
29 Maintenance Matt Brooks Memory Care Receptionist D+P N Y HR says Maintenance — which is correct? he works in both departments
30 Housekeeping Lupe Sanchez Housekeeping Director D+P Y Y AKA Guadalupe Sanchez
31 Transportation Richard Adams Driver P N N
32 Transportation Julian Crim Driver P N N
33 Transportation Christopher Holick Driver P N N
34 Caregivers (shift staff) Thelma Abainza Caregiver — Tower (Tue–Sat) D+P N Y
35 Caregivers (shift staff) Niel Castro MedTech / CCG — Tower (Tue–Sat) D+P N Y
36 Caregivers (shift staff) Espe Esperance MedTech — Tower (Tue–Sat) D+P N Y
37 Caregivers (shift staff) Barbara Johnson Caregiver — Tower (Tue–Sat) D+P N Y
38 Caregivers (shift staff) Kasey Flores Caregiver — Memory Care (Tue–Sat) D+P N Y
39 Caregivers (shift staff) Richard Flores Caregiver — Memory Care (Tue–Sat) D+P N Y
40 Caregivers (shift staff) Marie Kastner Caregiver — Memory Care (Tue–Sat) D+P N Y
41 Caregivers (shift staff) Bella Mendoza Caregiver — Memory Care (Tue–Sat) D+P N Y
42 Caregivers (shift staff) Rosa Morales MedTech — Memory Care (Tue–Sat) D+P N Y
43 Caregivers (shift staff) Sandra Padilla MedTech / CCG — Tower (Tue–Sat) D+P N Y
44 Caregivers (shift staff) Whisper Reed MedTech — Tower overnight (Tue–Sat) D+P N Y
45 Caregivers (shift staff) Patricia Sandoval-Beck MedTech — Tower (Tue–Sat) D+P N Y Hyphenated last name — correct? correct
46 Caregivers (shift staff) Charity Sika Caregiver — Memory Care (Tue–Sat) D+P N Y
47 Caregivers (shift staff) Ederick Yuzon Caregiver — Tower (Tue–Sat) D+P N Y Confirm spelling
48 Caregivers (shift staff) Juan Andrade Caregiver — Memory Care (Sun–Thu) D+P N Y
49 Caregivers (shift staff) Jahmeka Clarke MedTech — Memory Care (Sun–Thu) D+P N Y
50 Caregivers (shift staff) Karina Aziakpo MedTech / CCG — MC overnight (Sun–Thu) D+P N Y
51 Caregivers (shift staff) Jinnelle Dittbenner Caregiver — Tower (Sun–Thu) D+P N Y
52 Caregivers (shift staff) Agnes McFerren Caregiver — Tower (Sun–Thu) D+P N Y
53 Caregivers (shift staff) Samuel Ramirez Caregiver — Tower (Sun–Thu) D+P N Y
54 Caregivers (shift staff) Erica Sanchez Caregiver — Memory Care (Sun–Thu) D+P N Y
55 Caregivers (shift staff) Katrina Wyzykowski MedTech — Memory Care (Sun–Thu) D+P N Y
56 Caregivers (shift staff) Corey Tate Caregiver — Tower NOC (Sun–Thu) D+P N Y
57 Caregivers (shift staff) Ashli Atwood MedTech / CCG — MC overnight (Fri–Mon) D+P N Y
58 Caregivers (shift staff) Cole Johnson MedTech — Tower (Fri–Mon) D+P N Y
59 Caregivers (shift staff) Roseline Cooper Caregiver — MC overnight (Fri–Mon) D+P N Y
60 Caregivers (shift staff) Monique Lopez Caregiver — Tower Fri+Sat doubles D+P N Y
61 Caregivers (shift staff) Gloria Williford MedTech — MC Fri+Sat doubles D+P N Y
62 Caregivers (shift staff) Sarah Carroll Caregiver — Tower (Thu–Mon) D+P N Y
63 Caregivers (shift staff) Luke Hogan Caregiver — Tower (Thu–Mon) D+P N Y
64 Caregivers (shift staff) Gina Williams Caregiver — Tower (Thu–Mon) D+P N Y
65 Caregivers (shift staff) Jen Higdon Caregiver — Tower M/W/F AM D+P N Y
66 Caregivers (shift staff) Mary Kariuki Caregiver — Tower Sat–Mon + Wed PM D+P N Y
67 Caregivers (shift staff) CeCe Lassey Caregiver — Tower Sun/Mon doubles + Tue PM D+P N Y
68 Caregivers (shift staff) Paty Doran MedTech / CCG — Tower Sun/Mon only D+P N Y Paty, Patti, or Patricia? Patricia Camarena Doran
69 Caregivers (shift staff) Ezekiel Huerta Caregiver PRN — Tower D+P N Y
70 Caregivers (shift staff) Maia Baker MedTech PRN — Memory Care D+P N Y Is she still employed? part time
71 Caregivers (shift staff) Reliable Agency 1 D+P N Y
72 Caregivers (shift staff) Reliable Agency 2 D+P N Y

108
clients/cascades-tucson/session-logs/2026-04-22-howard-staff-csv-ingest-and-user-rollout-plan.md Normal file
View File

@@ -0,0 +1,108 @@
# 2026-04-22 — Cascades staff CSV ingest + AD/M365 user rollout plan
## User
- **User:** Howard Enos (howard)
- **Machine:** HOWARD-HOME
- **Role:** tech
## Session Summary
Meredith Kuhn and John Trozzi returned the staff-editor questionnaire that Howard sent 2026-04-18. CSV saved to `C:\Users\Howard\Documents\cascades-staff-2026-04-22-1434.csv`. This session ingested that CSV into the repo, updated the P2 license candidate doc with the real list, drafted a follow-up email for the remaining open items, and wrote the full AD + M365 user-setup rollout plan.
Howard then answered several of the open items live:
- **Britney Thompson** — still employed. Needs desktop access and possibly phone. Keep her AD account; treat as Office-PHI clinical for license math until Meredith specifies posture.
- **Polett Pinazavala** — still employed. Same treatment as Britney; she stays on the caregiver roster.
- **Christine Nyanzunda** — one person with two roles (MC Admin + part-time Sun/Mon MedTech), one account.
- **Alma R Montt** — username `Alma.Montt`. Title still pending Meredith.
- **Kyla Quick Tiffany** — username `Kyla.QuickTiffany` (Kyla's own preference — last name as one word). Treated as a Shared-PC Reception user.
- **Naming convention:** All NEW accounts follow TitleCase `First.Last`. The lowercase exceptions in AD (`britney.thompson`, `karen.rossini`, `lauren.hasselman`) are the only known legacy cases — leave as-is, don't rename.
Howard will edit the follow-up email himself and send from his desktop, then return the sent copy.
## Key Decisions
1. **CSV placement:** `clients/cascades-tucson/reports/cascades-staff-2026-04-22.csv` (Howard's choice).
2. **Persona model:** Eight personas derived from CSV columns (Access / Outside / ALIS). See §2 of the rollout plan.
3. **License default:** Business Premium tenant-wide, with F3 only for the 3 drivers and Business Standard fallback for non-PHI office roles if tenant-wide Premium isn't approved.
4. **Rollout waves:** W0 pre-flight → W1 new office accounts (Alma, Kyla) → W2 existing office reassignment → W3 caregiver bulk creation → W4 generics cleanup.
5. **Britney on license list:** Office-PHI tier by default given clinical role, until Meredith provides a different posture call. Bumps office P2 count 19 → 20.
## Problems Encountered / Deltas Found
- **Britney Thompson** — active in AD but absent from the CSV return. Resolved live: still employed.
- **Polett Pinazavala** — on 2026-04-18 caregiver roster, absent from CSV. Resolved live: still employed.
- **37 caregivers** have no individual AD accounts today (verified against `docs/servers/active-directory.md`). Wave 3 creates all 37.
- **Agency placeholders (2 rows)** need a decision on whether they become real accounts or ALIS-web-only logins. Deferred to Meredith.
## Credentials / Secrets
None handled or discovered this session. No vault reads. No credentials in any of the created docs.
## Infrastructure / Servers Referenced
- CS-SERVER (`192.168.2.254`) — primary DC for `cascades.local`, only DC, all FSMO roles. Source of truth for current AD state.
- M365 tenant: `cascadestucson.com`, tenant ID `207fa277-e9d8-4eb7-ada1-1064d2221498`.
- GuruRMM: Cascades client `42e1b0e3-f8b7-4fc5-86bd-06bdbb073b7f`, site `c157c399-82d3-4581-979a-b9fad70f4fef` (unchanged).
- Entra group `Cascades - Shared Phones` (existing, dynamic — drives Intune phone rollout; possibly overlaps with the proposed `SG-Caregivers` AD-sync group).
No infrastructure changes made. Plan-level only.
## Files Created
| Path | Purpose |
|---|---|
| `clients/cascades-tucson/reports/cascades-staff-2026-04-22.csv` | Meredith/John's returned staff-editor CSV, 70 rows. Source of truth for who should exist and with what access posture. |
| `clients/cascades-tucson/docs/cloud/cascades-staff-followup-2026-04-22.md` | Draft email to Meredith/John with 6 open questions (Kyla, Ederick, Christine, Alma, Britney, Polett) plus the pending "restrict everyone or selective" decision. Howard will edit and send. |
| `clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md` | Full AD/M365 rollout plan: 8 personas, license mapping, OU/group layout, CA policy set, pre-flight reconciliation, 4-wave rollout sequence, 8 open decisions. |
## Files Modified
| Path | Change |
|---|---|
| `clients/cascades-tucson/docs/cloud/p2-staff-candidates.md` | Replaced "Awaiting from John Trozzi" section with real persona tables from CSV. Added Britney + Polett notes (still employed, confirmed live). Updated license math: 19 office P2 → 20 with Britney. Closed "follow up with John" action item. |
## Commands Run
- `cp "/c/Users/Howard/Documents/cascades-staff-2026-04-22-1434.csv" "clients/cascades-tucson/reports/cascades-staff-2026-04-22.csv"` — CSV ingest.
- Various `git status`, `git log`, `git show` for context.
- Read operations across `clients/cascades-tucson/docs/cloud/` and `docs/servers/active-directory.md` for cross-reference.
No destructive commands. No database, no credential, no network changes.
## Pending / Next Steps
### Blocked on Meredith / John (in the follow-up email)
1. "Restrict everyone to building" vs. selective — outstanding since 2026-04-16.
2. Business Premium tenant-wide vs. mixed SKUs — tied to upgrade proposal.
3. Ederick Yuzon spelling.
4. Alma R Montt title.
5. Britney Thompson access posture (phone? Outside?).
6. Polett Pinazavala access posture (phone? Outside?).
7. Agency placeholders — real accounts or ALIS-only?
8. Drivers — F3 or Business Standard?
### Waiting for Howard
- Edit and send the follow-up email from `cascades-staff-followup-2026-04-22.md`. Return the final version so it's in the repo as the actual sent copy.
### Ready to execute once answers come back
- Wave 1 account creation: `Alma.Montt`, `Kyla.QuickTiffany`
- Britney Thompson: confirm and apply persona tags
- Wave 3 caregiver bulk creation: 37 accounts (includes Polett)
## Reference
- Rollout plan: `clients/cascades-tucson/docs/cloud/user-account-rollout-plan.md`
- P2 candidates (updated): `clients/cascades-tucson/docs/cloud/p2-staff-candidates.md`
- Caregiver-side plan (cross-reference): `clients/cascades-tucson/docs/cloud/caregiver-m365-p2-rollout.md`
- AD state: `clients/cascades-tucson/docs/servers/active-directory.md`
- Source CSV: `clients/cascades-tucson/reports/cascades-staff-2026-04-22.csv`
- Follow-up email draft: `clients/cascades-tucson/docs/cloud/cascades-staff-followup-2026-04-22.md`
## Note for Mike
Cascades user rollout design is done at the plan level — 8 personas, license math, OU/group layout, CA policy set, 4-wave sequence. Blocked on 7 decisions from Meredith (see §10 of the plan). No license spend or account creation yet. Your call at any point to change the tenant-wide Business Premium default if budget says otherwise.
Also flagging: Britney Thompson was absent from Meredith's returned CSV but is still employed per Howard — worth you confirming with Meredith next time you see her, since the omission is a signal she may not be top-of-mind for the access-policy work. Same for Polett Pinazavala on the caregiver side.