azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from GURU-5070 at 2026-06-02 07:25:49

Browse Source 
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-02 07:25:49
This commit is contained in:
Mike Swanson
2026-06-02 07:25:55 -07:00
parent 13c7ad3c82
commit f8ed03c75a
54 changed files with 1349 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
.claude/memory/feedback_cascades_user_security_group.md Normal file
View File

@@ -0,0 +1,12 @@
---
name: cascades-user-security-group
description: When creating or adding any Cascades user, always ask which security group(s) the account goes into — deliberate decision, never auto-derived from OU
metadata:
type: feedback
---
When creating, or being asked to create, any Cascades user account (AD or M365), always ask the user **which security group(s)** the new account should be a member of. Include it explicitly in the creation preview/confirmation alongside name, UPN, and OU — do not assume it from the OU, department, or job title.
**Why:** Howard explicitly declined an `OU=Caregivers` -> `SG-Caregivers` auto-mirror script (2026-05-14). Security-group membership controls what access and Conditional Access policies apply to a user; he wants that to stay a deliberate, reviewed decision per user, not automated away. OU placement is mechanical (it controls Entra Connect sync scope); group membership is an access-control decision and must be made consciously.
**How to apply:** During any Cascades user-creation flow, ask "which security group(s)?" and confirm it in the preview. For caregivers specifically: the account goes in `OU=Caregivers` (for sync scope) AND must be deliberately added to `SG-Caregivers` (for CA policy coverage) — two separate, intentional steps, neither auto-derived from the other.