azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
295126ee6c4abe2588f94de0e022eabdbb1c925d
claudetools/clients/cascades-tucson/docs/migration/share-access-matrix-2026-04-23.md
Howard Enos 6e2d99bd23 sync: auto-sync from HOWARD-HOME at 2026-04-23 21:12:42 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-04-23 21:12:42
2026-04-23 21:12:43 -07:00

349 lines
23 KiB
Markdown
Raw Blame History

# Share Access Review — Cascades of Tucson
**Prepared:** 2026-04-23 (Howard) · **For review by:** John Trozzi / Meredith Kuhn
**What you're looking at:** every current employee, their department + position, and which shared folders they should have access to on the new CS-SERVER setup. Please read through and confirm each person is (a) in the right department/position, and (b) has the right folder access. Flag anything wrong.
**No changes have been made yet.** This is the review draft. Once you sign off, we apply it to AD and the share permissions on CS-SERVER.
---
## Reading the list
- **Access: X, Y, Z** means read + write on those folders.
- **Read-only: X** means they can open files but not save/delete.
- **Everyone** gets the `Public` share (company-wide scratch space) and their own personal `home` folder. Those aren't repeated per person below.
- **IT**, **Culinary**, **Sandra Fish Archive**, **Clinical (pacs)**, and **Life Enrichment (Activities)** are special-access — only the people listed get in.
- The old `chat` folder is being retired — company chat is moving to **Teams**.
## Folders at a glance
| Folder | What's in it |
|---|---|
| **Management** | Office/admin docs, budgets, HR-adjacent files |
| **Sales** | Sales and move-in coordination docs (resident intake) |
| **ALdocs** | Assisted Living documentation (clinical/operational) — **new share, CS-SERVER only** |
| **WebDocs** | Web / marketing / sales-collateral docs — **new share, CS-SERVER only** (distinct from retired DSM `web` share) |
| **Server** | IT/vendor docs, server config, maintenance records |
| **Directory** | Resident directory (phone, room, emergency contact) — most staff need read |
| **Receptionist** | Dump folder for scans from the copy room — **Tower front desk only**. Front-desk staff pull the scans from here, process them, and delete as they go. Drive is **mapped by machine + user** via GPO / logon script: it appears only on Tower reception PC(s) and only for users who are in the Tower reception role group. MC receptionist PC does not get this mapped. |
| **Culinary** | Menus, kitchen ordering, dining room operations |
| **Life Enrichment** | Activity calendars, program docs — **new share, CS-SERVER only**. LE machines currently have no mapped drives, so this will be the first file-share those stations connect to. |
| **Clinical (PHI)** | Medical imaging / clinical records. **Howard verified 2026-04-23: the Synology `pacs` folder is empty** — no data to migrate. Question is whether clinical staff need a shared clinical folder on CS-SERVER at all, or if ALIS covers everything. Pending Meredith. |
| **IT** | Systems admin docs — IT only |
| **Sandra Fish Archive** | Former director's personal folder — **Meredith only** |
| **Home** | Each person's own personal folder (folder redirection) |
| **Public** | Company-wide scratch space — everyone |
---
## Administrative
### Meredith Kuhn — Executive Director
Access: Management, Sales, ALdocs, WebDocs, Server, Directory, Receptionist, Life Enrichment, Clinical, **Sandra Fish Archive (sole custodian)**
Read-only: Culinary
### Ashley Jensen — Assistant Executive Director
Access: Management, Sales, ALdocs, WebDocs, Server, Directory, Receptionist, Life Enrichment, Clinical
Read-only: Culinary
**Note:** Same level as Meredith per Howard 2026-04-23.
### Lauren Hasselman — Business Office Director
Access: Management, Sales, Server, Directory
Read-only: Receptionist
### Allison Reibschied — Accounting Assistant
Access: Management, Directory
---
## Marketing / Sales
### Megan Hiatt — Sales Director
Access: Management, Sales, ALdocs, WebDocs, Directory
### Crystal Rodriguez — Sales Associate
Access: Management, Sales, ALdocs, WebDocs, Directory
**Note:** `Crystal Suszek` is Crystal Rodriguez's former name (confirmed 2026-04-23). Consolidate to the single `Crystal.Rodriguez` AD account at cutover; disable the old Synology `Crystal Suszek` account.
### Tamra Matthews — Move-In Coordinator
Access: Management, Sales, ALdocs, WebDocs, Directory
**Note:** Leaving June 2026 — access ends on her departure.
**Action before cutover:** Tamra has a `Sales Dept` folder in the root of her user profile on her PC that does not appear to be syncing to the server. Back it up and migrate its contents into `\\CS-SERVER\SalesDept` (or the new CS-SERVER Sales share path) before her departure.
---
## Care, Assisted Living (Nursing / Clinical)
### Lois Lane — Health Services Director
Access: ALdocs, Directory, Clinical (PHI)
Read-only: Management
**Note:** ALdocs is the main nursing share. She and Karen are the only nurses granted RW per Howard 2026-04-23 ("only nurses will need access to the ALdocs").
**Anomaly:** Currently has no share access on Synology — proposed scope is based on her director role. Confirm she actually wants file access vs. working only through ALIS.
### Karen Rossini — Health Services Manager
Access: ALdocs, Directory, Clinical (PHI)
**Note:** Same nursing-access pattern as Lois.
**Anomaly:** Currently only has home-folder access on Synology — likely underprovisioned.
### Veronica Feller — Care, Assisted Living Aide
Access: Management, Sales, Server, Directory, Life Enrichment, Clinical
**Note (Howard 2026-04-23):** Keep the permissions she currently has on Synology, but **not at admin level** — she's a regular RW user, not a share administrator. Scope above matches her current Synology RW list (minus the retiring `chat` share, minus Sandra Fish which is Meredith-only, minus Culinary which is now restricted to kitchen staff only).
---
## Care, Memory Care
### Shelby Trozzi — Memory Care Director
Access: Management, Server, Directory, Receptionist, Clinical (PHI)
Read-only: Sales, Life Enrichment
**Note:** Currently has admin-full (ownership-class) access to 5 shares on Synology. Per Howard's direction she does not need that level — proposed scope above is what a MC Director actually uses day-to-day.
### Christine Nyanzunda — Memory Care Admin Assistant (also PT MedTech)
Access: Directory, Receptionist, Clinical (PHI)
Read-only: Management
---
## Resident Services
### Christina DuPras — Resident Services Director
Access: Management, Server, Directory, Receptionist
Read-only: Life Enrichment
### Cathy Kingston — Receptionist (Tower front desk, shared PC)
Access: Directory, Receptionist
### Shontiel Nunn — Receptionist (Tower front desk, shared PC)
Access: Directory, Receptionist
### Kyla Quick Tiffany — Receptionist (Tower front desk, shared PC)
Access: Directory, Receptionist
**Note:** AD account not yet created (Wave 1 of user rollout). Spelling confirmed per Kyla as `Kyla.QuickTiffany`.
### Michelle Shestko — MC Receptionist (MC front desk, shared PC)
Access: Directory
**Note:** MC front desk does NOT get the `Receptionist` scan-drop share — that's Tower-front-desk-only per Howard 2026-04-23.
### Sebastian Leon — Courtesy Patrol
Access: Directory, Receptionist
### Sheldon Gardfrey — Courtesy Patrol
Access: Directory, Receptionist
### Ray Rai — Courtesy Patrol
Access: Directory, Receptionist
---
## Life Enrichment
### Susan Hicks — Life Enrichment Director
Access: Directory, Life Enrichment
Read-only: Management
**Note:** Life Enrichment workstations currently have no mapped drives at all. The new `LifeEnrichment` share will be the first file share those PCs connect to — needs a one-time map at setup.
### Sharon Edwards — Life Enrichment Assistant
Access: Directory, Life Enrichment
**Note:** Same LE-new-mapping note as Susan.
### Alma R Montt — MC Life Enrichment
Access: Directory, Life Enrichment
**Note:** AD account not yet created (Wave 1 of user rollout). LE-machine drive mapping applies once her account + PC are set up.
---
## Culinary
### JD Martin — Culinary Director
Access: Culinary
**Note:** Kitchen staff only need the Culinary share — no Directory, no other shares (Howard 2026-04-23).
### Ramon Castaneda — Kitchen Manager
Access: Culinary
### Alyssa Brooks — Dining Manager
Access: Culinary
---
## Maintenance
### John Trozzi — Facilities Director
Access: Server, Directory
Read-only: Management, Culinary
**Anomaly:** Currently has no share access on Synology. Proposed scope gives him Server for vendor/maintenance records. **John — confirm you want Server, or just Directory?** Culinary read-only is by design (he's on the approved Culinary read list alongside Meredith and Ashley — only kitchen staff write there).
### Matt Brooks — MC Receptionist (also works Maintenance)
Access: Directory
Read-only: Server
**Note:** HR has him in Maintenance; CSV says MC Receptionist. Works both departments — confirm primary dept assignment. Does NOT get the `Receptionist` scan-drop share (that's Tower-front-desk-only, and he covers the MC desk, not Tower).
---
## Housekeeping
### Lupe Sanchez — Housekeeping Director
Access: Directory
**Anomaly:** Currently has no share access on Synology. Confirm this minimal scope is right, or does she need Management read for budgets/supplier docs?
---
## Transportation — no IT access
Per 2026-04-22 decision, drivers' AD accounts are being disabled. No share access going forward.
- **Richard Adams** — Driver
- **Julian Crim** — Driver
- **Christopher Holick** — Driver
---
## Caregivers (shift staff) — no on-prem shares
All 37 caregivers access clinical data exclusively through **ALIS**. **No SMB/file-share access of any kind** — no Directory, no Clinical, nothing. Confirmed 2026-04-23.
Names (from CSV): Thelma Abainza, Niel Castro, Espe Esperance, Barbara Johnson, Kasey Flores, Richard Flores, Marie Kastner, Bella Mendoza, Rosa Morales, Sandra Padilla, Whisper Reed, Patricia Sandoval-Beck, Charity Sika, Ederick Yuzon, Juan Andrade, Jahmeka Clarke, Karina Aziakpo, Jinnelle Dittbenner, Agnes McFerren, Samuel Ramirez, Erica Sanchez, Katrina Wyzykowski, Corey Tate, Ashli Atwood, Cole Johnson, Roseline Cooper, Monique Lopez, Gloria Williford, Sarah Carroll, Luke Hogan, Gina Williams, Jen Higdon, Mary Kariuki, CeCe Lassey, Paty Doran, Ezekiel Huerta, Maia Baker.
Agency placeholders ("Reliable Agency 1/2") are **not** being created as accounts — per-person names required before PHI access, per HIPAA review 2026-04-22.
---
## Accounts to remove at cutover (not current employees)
These names show up on Synology but are not in John's current employee list. They'll be disabled when we retire the Synology file-share role:
- **Amber M Lee, Ann Dery, Anna Pitzlin, Britney Thompson, Haris Durut, Monica RamirezRossette, Nela Durut-Azizi, Stephanie Devin** — all former employees.
- **Tamra Johnson** (old alias — now `Tamra Matthews`)
- **CasAdmin201** — prior-MSP admin account. Confirm with Meredith before deletion.
- **Role accounts** — `Accounting`, `Dining Manager`, `Front Desk`, `mcnurse`, `memcarenurse`, `Memcare Receptionist`, `Nurse Tower`. These are shared logins that violate HIPAA unique-user-identification requirement. Replaced by the named-person accounts above.
---
## Decisions already settled
- **Sandra Fish Archive** — archived to `CS-SERVER\Archive\Former-Director-Sandra-Fish\`, **Meredith is the sole custodian** (settled 2026-04-23).
- **Drivers lose IT access** — Richard Adams / Julian Crim / Christopher Holick AD accounts disabled (settled 2026-04-22).
- **Agency caregivers** — no shared logins; per-person accounts only when Reliable supplies names (settled 2026-04-22 per HIPAA review).
- **`chat` share retired** — Teams replaces it company-wide (settled 2026-04-23). No migration needed.
- **Culinary access limited** — only kitchen staff (JD, Ramon, Alyssa) get **write** access. Meredith, John Trozzi, and Ashley get **read-only**. Nobody else has access (settled 2026-04-23).
- **Culinary folder path** — Culinary lives at `D:\Shares\Culinary` on CS-SERVER (local to the server, not synced with Synology). Kitchen team doesn't need the data anywhere else, so no two-way sync (settled 2026-04-23).
- **Veronica Feller** — keeps her current Synology RW scope (Management, Sales, Server, Life Enrichment, Clinical) + Directory, but NOT at admin level. Settled 2026-04-23.
- **Caregivers — zero on-prem share access** — all clinical work through ALIS. No Directory, no Clinical, no read access to the resident contact list from phones, no exceptions (settled 2026-04-23).
- **Crystal Suszek → Crystal Rodriguez** — same person, former name. Single AD account `Crystal.Rodriguez`; old Synology `Crystal Suszek` account disabled at cutover (settled 2026-04-23).
- **`CasAdmin201`** — will NOT become a domain user on cs-server/CS-SERVER. Disabled on Synology at cutover (settled 2026-04-23).
- **New CS-SERVER shares to create** (settled 2026-04-23):
- **`LifeEnrichment`** — CS-SERVER local, RW for Susan/Sharon/Alma only. LE workstations currently have no mapped drives — this will be their first.
- **`ALdocs`** — Assisted Living documentation, CS-SERVER local, RW for nurses (Lois, Karen) + Meredith + Ashley + Sales team (Megan, Crystal, Tamra).
- **`WebDocs`** — web/marketing collateral, CS-SERVER local, RW for Sales team + Meredith + Ashley. Distinct from the retired Synology `web` DSM share.
- **Sales team share set** (settled 2026-04-23) — Megan, Crystal, Tamra all get RW on: ALdocs, WebDocs, SalesDept, Management, Directory.
- **Tamra's local `Sales Dept` folder** — she has a `Sales Dept` folder in the root of her user profile that's NOT syncing to the server. Action before her June 2026 departure: back it up and move contents into `\\CS-SERVER\SalesDept`. Tracked as action item below.
- **Kitchen staff scope** (settled 2026-04-23) — JD, Ramon, Alyssa only get RW on `Culinary`. No Directory, no other shares. They don't need them.
- **Sales team Receptionist access** (settled 2026-04-23) — removed. Megan, Crystal, Tamra don't need the Receptionist scan-drop share.
- **Receptionist share scoping** (settled 2026-04-23) — the `Receptionist` share is a dump folder for scans from the copy room. **Tower front desk only** — not MC receptionist, not Sales, not sales-supporting roles. It is mapped **by machine + user** via GPO or logon script: drive appears only on Tower reception PC(s) for users in the Tower receptionist role group. Michelle (MC receptionist) and Matt Brooks (MC receptionist coverage) do NOT get this mapped. Courtesy Patrol (Sebastian, Sheldon, Ray) cover Tower reception after hours, so they keep access. Christina DuPras keeps access for RS Director oversight. Meredith + Ashley keep access for executive oversight.
---
## Decisions still needed from John / Meredith
Tick each when answered:
- [ ] **Lois Lane** — grant the director-level access proposed (Directory + Clinical + Mgmt read), or leave her at ALIS-only?
- [ ] **Karen Rossini** — grant Clinical + Directory, or less?
- [ ] **Susan Hicks** — grant LE Director scope as proposed?
- [ ] **John Trozzi** — want Server access for vendor/maintenance docs, or just Directory + Culinary?
- [ ] **Lupe Sanchez** — minimal scope (Directory only) OK, or does she need Management read?
- [ ] **Shelby Trozzi** — OK with the narrower scope (no admin-full), keeping her as MC Director?
- [ ] **Matt Brooks** — primary department: Maintenance or Resident Services (MC Receptionist)?
- [ ] **Christine Nyanzunda** — Management as read-only OK, or does she need write?
- [ ] **`Activities` folder** — confirm contents are Life Enrichment only (so we create CS-SERVER `LifeEnrichment` share with just LE team RW)
- [ ] **`pacs` folder** — Howard verified 2026-04-23 it's empty on Synology. **Do we create a Clinical shared folder on CS-SERVER at all?** If clinical staff use ALIS for everything, retire the concept entirely (and strip Clinical from everyone's access lines above). If there's a future need, we create an empty `Clinical-PHI` share with the access list already proposed.
- [ ] **`web` folder** — confirm we can retire entirely (DSM web station, not a business share)
---
## Pre-cutover action items
- **Tamra Matthews** — back up `Sales Dept` folder in root of her user profile; migrate into `\\CS-SERVER\SalesDept`. Must complete before her June 2026 departure. Verify it really isn't syncing (check the Synology Drive Client on her PC).
- **Create three new shares on CS-SERVER** — `LifeEnrichment`, `ALdocs`, `WebDocs` at `D:\Shares\<name>`. Populate NTFS per this doc.
- **Map the new shares** — LE workstations are net-new mappings (no drives today). Script the drive maps via GPO or logon script once per-user interviews close.
- **Receptionist share — machine+user GPO/logon-script mapping** — drive letter (likely `S:`) should only map when the machine is a Tower reception PC (currently `RECEPTIONIST-PC`, and any future Tower-desk stations) AND the user is in a Tower receptionist role group. MC receptionist PC and Sales workstations must NOT get the drive auto-mapped even if the user also logs in elsewhere.
## Transition from Synology Drive Client to SMB mapped drives
**Current state.** The Synology NAS (`cascadesDS`) two-way syncs its shares to CS-SERVER at `D:\Shares\Main\` via a Synology Drive Client running on CS-SERVER. That sync stays in place until Phase 4 cutover. Separately, some user workstations also have Synology Drive Client installed locally, pulling a cached copy of the shares to each PC — that's how those users access Management / SalesDept / Server / Public today.
**Goal.** Replace each user's local Synology Drive Client with a standard SMB mapped drive (e.g. `\\CS-SERVER\Management`, backed by `D:\Shares\Main\Management`). Because CS-SERVER's copy is kept current by the NAS-side sync, users see the same files via the mapped drive as they did via Synology Drive Client — no data move, just a different access path.
**Prerequisite.** NTFS permissions on each `D:\Shares\Main\<share>` folder must match this access matrix **before** drives are mapped on a user's PC. Otherwise users will see the folder but hit access-denied on files.
**Rollout per user:**
1. Create / populate that user's `SG-*-RW` group memberships per this matrix.
2. Map their drives via GPO Preferences (or logon script) based on those group memberships.
3. Have the user sign in, open each mapped drive, confirm read-and-write works where expected.
4. Uninstall Synology Drive Client from the PC. Delete the local cached folder once confirmed empty of unsynced changes.
5. Log the change in the session log for that day.
**At Phase 4 cutover** the sync direction breaks: CS-SERVER becomes authoritative, the Synology moves to read-only, then to a backup target. Mapped drives already point at CS-SERVER so no user-side change is needed at cutover.
**Do not retarget the CS-SERVER Synology Drive Client sync path.** It stays at `D:\Shares\Main\` for the duration. An earlier version of this doc proposed moving it to `D:\Shares\Synology\` — that plan is scrapped because it would break the current user-side Synology Drive Client sync for the users still on it.
## Next step — per-user interviews
Howard is walking the proposal around the building 2026-04-23 onward, asking each staff member which folders they actually use. Anything a user doesn't touch in their normal workflow gets set to **not active** for that person — the doc's current access list is the starting point, not the final word. Once interviews are done:
1. Update this doc with the approved values
2. Populate the `SG-*-RW` AD groups accordingly (one-shot script, no service interruption)
3. Run `scripts/phase2-file-shares.ps1` to create/update shares on CS-SERVER with the new NTFS permissions
4. Spot-check from one PC per department to verify effective access matches the plan
5. Leave the Synology in two-way sync during the overlap period; Phase 4 cutover retires Synology as primary once stable
---
## Implementation detail — folder paths on CS-SERVER
For Howard's reference during setup. Reviewers can skip this section.
Two path conventions on CS-SERVER's D: drive:
- **`D:\Shares\Main\<name>\`** — two-way synced with cascadesDS via Synology Drive Client running on CS-SERVER. Use this for any share that needs to exist on both the Synology NAS and CS-SERVER during the Phase 4 overlap window: Management, SalesDept, Server, Public, and any others Meredith wants kept in sync. **This is the existing sync target — do not retarget.**
- **`D:\Shares\<name>\`** — CS-SERVER-local only, no Synology sync. Use this for shares that don't exist on Synology today or don't need a Synology copy: Culinary, IT, Receptionist, directoryshare, LifeEnrichment, ALdocs, WebDocs.
- **`D:\Homes\<username>\`** — per-user folder-redirection share. Exposed as `\\CS-SERVER\homes`. Not under either shares tree; not Synology-synced.
SMB share names stay flat (`\\CS-SERVER\Management`, `\\CS-SERVER\Culinary`) — users never see the path difference. Only the NTFS path under the hood changes.
Shares to create/update on CS-SERVER at this path convention:
| SMB share | CS-SERVER path | Synced with Synology? |
|---|---|---|
| Management | `D:\Shares\Main\Management` | yes |
| SalesDept | `D:\Shares\Main\SalesDept` | yes |
| Server | `D:\Shares\Main\Server` | yes |
| Public | `D:\Shares\Main\Public` | yes |
| homes | `D:\Homes` | **no** (local, folder-redirection target) |
| LifeEnrichment | `D:\Shares\LifeEnrichment` | **no** (CS-SERVER local, new) |
| ALdocs | `D:\Shares\ALdocs` | **no** (CS-SERVER local, new) |
| WebDocs | `D:\Shares\WebDocs` | **no** (CS-SERVER local, new) |
| Clinical-PHI (from `pacs`) | `D:\Shares\Clinical-PHI` (if created) | Pending A12. Synology `pacs` is empty — if Meredith wants a clinical shared folder going forward, create empty on CS-SERVER (local, not synced). If not, retire and strip Clinical from access lines. |
| Culinary | `D:\Shares\Culinary` | **no** (local to CS-SERVER) |
| Receptionist | `D:\Shares\Receptionist` | **no** |
| directoryshare | `D:\Shares\directoryshare` | **no** |
| IT | `D:\Shares\IT` | **no** |
| Sandra Fish Archive | `D:\Shares\Archive\Former-Director-Sandra-Fish` | **no** — Meredith-only, archived |
The existing Synology Drive Client sync target on CS-SERVER is `D:\Shares\Main\` (per `docs/servers/cs-server.md`). **It stays there for the duration of the Phase 4 overlap.** An earlier draft of this doc proposed retargeting to `D:\Shares\Synology\` — that plan is scrapped; users currently rely on `D:\Shares\Main\` and a retarget would break their sync.
`scripts/phase2-file-shares.ps1` will need its `$DestRoot` + per-share `Path` values updated to match (`D:\Shares\Main\<name>` for synced shares, `D:\Shares\<name>` for local-only).
---
## Source data
- Synology permissions as of 2026-04-22 — `docs/migration/synology-permission-inventory.md`
- Current AD users + titles — `docs/servers/active-directory.md`
- Employee roster from John/Meredith (2026-04-22) — `reports/cascades-staff-2026-04-22.csv`
- User rollout plan — `docs/cloud/user-account-rollout-plan.md`
Howard's input 2026-04-23: Ashley → Meredith tier · Veronica → Meredith tier (flagged as strong anomaly for Meredith's sign-off) · Shelby → narrowed from Synology admin-full to MC Director scope · Stephanie Devin removed (not in employee list) · Sandra Fish → Meredith sole custodian.
Reference in New Issue View Git Blame Copy Permalink