# Dataforth — Proposed Target Folder Structure (DRAFT / strawman) **By:** ACG (Howard) · **Date:** 2026-06-22 · **Status:** DRAFT — pre-client-input **Inputs:** inferred from existing shares + folder contents in [current-state-2026-06-10.md](./current-state-2026-06-10.md), [acl-audit-detail-2026-06-10.md](./acl-audit-detail-2026-06-10.md), and the ENGR exploration notes. Refine against Dataforth's access matrix (Phase 1 reply) before sign-off. > Purpose: lay out as much of the Phase 2 target-state design as we can **from the data > we already have** — the way Dataforth has their shares arranged today already tells us > their departments and data domains. This maps the current sprawl onto the common > departmental-share pattern. Nothing here is implemented; it is the proposal we hand the > client (simplified) for confirmation. --- ## 1. What today's layout tells us (departments inferred from the data) Their existing shares/folders are effectively **organized by department already** — just spread across eight shares with no access control. Reading the structure backwards gives us a strong starting department list: | Evidence in current shares/folders | Implied department / domain | |---|---| | `Engineering` (B:), `e-drive` ENGR/ECO'S/FMEA/TE, `archive` (Y:), ATE/DESIGN/Project Reports | **Engineering** (+ Test Engineering sub) | | c-drive Manufacturing / Production Control / SMT; e-drive MANUFACT | **Manufacturing / Production** | | FMEA, ECO'S, Test Equipment, calibration/ATE | **Quality / Calibration** | | `sales` (W:) — marketing, contacts, RMAs, shipping handoffs | **Sales & Marketing** | | c-drive Shipping; sales shipping handoffs | **Shipping / Receiving** | | c-drive Purchasing, **Purchase Orders** | **Purchasing** | | `sage` (S:), e-drive **QBfiles**, invoices, financial reports | **Accounting / Finance** (restricted) | | c-drive **Payroll** | **Payroll / HR** (restricted) | | c-drive **OSHA 300 / OSHA Safety Training** | **HR / Safety** (restricted) | | `itsvc`, `webshare` (datasheet automation) | **IT** (+ app/infra) | | Person-named + "Do not use" folders across c-drive/sales | legacy → **Archive / cleanup** | Departments we can confidently propose: **Engineering, Manufacturing/Production, Quality/Calibration, Sales & Marketing, Shipping/Receiving, Purchasing, Accounting/Finance, HR/Payroll, IT, Management/Exec.** (Matches the discovery-email starter list — the existing data corroborates it.) --- ## 2. Target structure — the "north star" (consolidated departmental share) The standard pattern: **one logical tree**, departmental subfolders, a broken-inheritance **Restricted** branch for sensitive data, a read-mostly **Company-Wide** area, per-user **Users** home folders, and a read-only **Archive**. Access-Based Enumeration (ABE) on so people only see what they can open. ``` Company\ (one tree; can stay multi-drive-letter mapped — see §4) | +-- Departments\ | +-- Engineering\ ENGR, ECO'S, FMEA, DESIGN, Project Reports, MTBF, LABEL | | +-- Test-Engineering\ ATE, Test Equipment, TESTLOGS, Tester Notebooks | | +-- Custom-Products\ | +-- Manufacturing\ Production Control, SMT, MANUFACT, Scanned (mfg travelers) | +-- Quality\ FMEA (quality copy), Calibration, Test Equipment records | +-- Sales-Marketing\ contacts, RMAs, videos, weekly updates, marketing assets | +-- Shipping-Receiving\ shipping handoffs, packing/labels | +-- Purchasing\ vendor files, (Purchase Orders -> see Restricted) | +-- IT\ tools/notes (software depot stays in ITSvc, see §5) | +-- Restricted\ (inheritance BROKEN; no Domain Users; per-area groups) | +-- Accounting-Finance\ Sage data refs, invoices, financial reports, QBfiles | +-- Payroll\ (from c-drive Payroll) | +-- HR\ personnel, policies-confidential | +-- OSHA\ OSHA 300, Safety Training records | +-- Purchase-Orders\ (from c-drive — finance-sensitive) | +-- Company-Wide\ (all staff: Read; limited Write groups) | +-- Forms\ | +-- Policies\ (non-confidential, published) | +-- Templates\ | +-- Scanned-Documents\ (general intake; mfg-specific -> Manufacturing) | +-- Documents\ (general company docs from c-drive) | +-- Users\ (per-user home folders; only owner + admins) | +-- Archive\ (read-only historical; legacy + "Do not use" landing zone) +-- Engineering-Archive\ (current Y: archive) +-- Former-Staff\ (person-named folders pending cleanup decision) ``` **App / infra shares stay OUT of this tree** and are handled case-by-case (§5). --- ## 3. Where each current share/folder lands (migration map) | Today | Target location | Notes | |---|---|---| | Q: c-drive \ Documents | `Company-Wide\Documents` | confirm any dept-specific subfolders | | Q: c-drive \ Manufacturing, Production Control, SMT | `Departments\Manufacturing` | | | Q: c-drive \ Shipping | `Departments\Shipping-Receiving` | | | Q: c-drive \ Purchasing | `Departments\Purchasing` | | | Q: c-drive \ Scanned Documents | `Company-Wide\Scanned-Documents` | split mfg travelers to Manufacturing if needed | | Q: c-drive \ **Payroll** | `Restricted\Payroll` | broken inheritance, HR/Payroll group only | | Q: c-drive \ **OSHA 300 / OSHA Safety Training** | `Restricted\OSHA` | HR/Safety group only | | Q: c-drive \ **Purchase Orders** | `Restricted\Purchase-Orders` | Purchasing + Finance only | | Q: c-drive \ person-named / "Do not use" | `Archive\Former-Staff` | after migration-gap audit clears | | T: e-drive \ ENGR, ECO'S, FMEA | `Departments\Engineering` | | | T: e-drive \ Test Engineering (TE) | `Departments\Engineering\Test-Engineering` | | | T: e-drive \ MANUFACT | `Departments\Manufacturing` | dedupe vs c-drive Manufacturing | | T: e-drive \ **QBfiles** (QuickBooks) | `Restricted\Accounting-Finance` | get it off the open eng drive | | S: sage (Sage ERP) | `Restricted\Accounting-Finance` (refs) | **app paths stay put — see §5 caution** | | W: sales | `Departments\Sales-Marketing` | shipping handoffs -> Shipping-Receiving subfolder or shared | | Y: archive (ENGR archive) | `Archive\Engineering-Archive` | read-only | | B: Engineering (ENGR: ATE/DESIGN/etc.) | `Departments\Engineering` (+ Test-Engineering) | **largest store; AD1 C: ~90% full — destination decision needed** | | itsvc | stays `ITSvc` (IT depot) | not in dept tree; §5 | | X: webshare | stays `webshare` | app/automation; preserve `svc_testdatadb`; §5 | | test | stays `test` | DOS/SMB1 — untouched, excluded | --- ## 4. Drive-letter strategy (keep habits, change permissions) Two ways to deliver the structure above: - **Option A — Keep current drive letters (recommended for phase 1 of rollout).** Leave Q/S/T/W/Y/B mapped where they are; reorganize folders *within* each share and apply department groups. Lowest disruption, no app/path breakage, no retraining. The "Company / Departments / Restricted" tree is realized *logically* across the existing shares rather than physically consolidated on day one. - **Option B — Consolidate to one mapped drive** (e.g. one `Company` share, ABE on, single letter) once apps and muscle-memory allow. Cleaner long-term, but risks hard-coded UNC paths (DOS, Sage, datasheet pipeline, GageTrak/Epicor shortcuts) and user retraining. **Recommendation:** ship **Option A** structure + groups first (safe, reversible), hold **Option B** consolidation as a later optional phase after the app-path audit. Either way the *permission model is identical* — only the physical/mapping layout differs. --- ## 5. Excluded app / infra shares (do NOT fold into the dept tree) - `test` (AD2) — DOS test stations, SMB1 + Guest:Read. **Leave exactly as-is.** - `webshare` (AD2) — datasheet automation. **Preserve `svc_testdatadb:Full`**; restrict human access to IT/Engineering; do not move paths. - `ITSvc` (AD1) — IT software depot. Keep `Domain Computers:Read` (deployment); IT-RW. - `sage` app data (SAGE-SQL) — Sage ERP reads/writes here; **do not relocate the live data path.** Restrict via group at the share, but keep the UNC stable for the app/SQL. - `NETLOGON` / `SYSVOL` — never touch. --- ## 6. AD security groups this implies (naming `SG--`) Derived directly from the structure above — RW for the owning dept, RO where another dept needs visibility (confirm RO grants with the client matrix): ``` SG-Engineering-RW SG-Engineering-RO SG-Manufacturing-RW SG-Manufacturing-RO SG-Quality-RW SG-Quality-RO SG-Sales-RW SG-Sales-RO SG-Shipping-RW SG-Shipping-RO SG-Purchasing-RW SG-Purchasing-RO SG-IT-RW SG-Accounting-RW SG-Accounting-RO (Restricted\Accounting-Finance) SG-Payroll-RW (Restricted\Payroll) SG-HR-RW (Restricted\HR, OSHA) SG-PurchaseOrders-RW SG-PurchaseOrders-RO (Purchasing + Finance) SG-CompanyWide-RW (everyone = RO by default via Authenticated Users:Read) ``` - Users get **Modify** via the RW group (never Full); SYSTEM/Administrators keep Full. - Restricted branch: **no `Domain Users`**, inheritance broken, only the named group. - Management/Exec cross-access handled by adding execs to the RO groups they need (not by re-opening shares). --- ## 7. What still needs the client (gates Phase 2 sign-off) This draft fills in everything inferable from the existing layout. Still **must come from Dataforth** before build: 1. **Confirm the department list** (we inferred it; they validate). 2. **The access matrix** — for each department, RW / RO / none per area (the grid in the discovery email). Our map above assumes "owning dept RW, others none" except where noted. 3. **Sensitive-data named access** — exactly who sees Payroll, OSHA, POs, Accounting (likely HR/Finance sign-off, not just Dan). 4. **Rosters** — who is in each department (to populate groups). 5. **Cleanup approval** — which person-named / "Do not use" folders archive vs delete. 6. **Engineering destination** — AD1 C: ~90% full; the big ENGR store needs a target volume before any restructure/consolidation. --- ## 8. Sequencing note This slots into **Phase 2 (Target-state design)** of [roadmap.md](./roadmap.md). It is the strawman to (a) sanity-check internally and (b) simplify into the client sign-off doc once the Phase 1 matrix arrives. Build order stays lowest-risk-first (archive -> sales -> c-drive/e-drive -> Engineering -> Restricted last), additive groups first, remove `Everyone`/`Domain Users` only after pilot validation.