Howard Enos
af4ad0aea3
CS-SERVER post-reboot verification: time sync, TLS 1.2 enforcement, and Windows Server Backup feature all persisted cleanly. dcdiag clean. Ready for Entra Connect install. Synology cascadesDS permission inventory captured via DSM API (SSH disabled by default on Synology). 35 users, 4 groups, 10 shares. Analysis identifies 7 shared-account role logins (HIPAA violation), 8 departed-employee accounts to clean up, and 4 shares needing Meredith-side confirmation before migration (pacs most sensitive). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
489 lines
15 KiB
Markdown
489 lines
15 KiB
Markdown
# Synology cascadesDS — Permission Inventory (2026-04-22 via DSM API)
|
|
|
|
**Source:** `docs/migration/synology-permission-inventory-raw.md`
|
|
**Method:** DSM HTTP API v7 via CS-SERVER GuruRMM agent (SSH not enabled on Synology as of 2026-04-22)
|
|
|
|
## Summary counts
|
|
|
|
- Synology local users: **35**
|
|
- Synology local groups: **4**
|
|
- Shares: **10**
|
|
|
|
## Users
|
|
|
|
| Name | UID | Expired | Email | Description | Groups |
|
|
|---|---:|---|---|---|---|
|
|
| `Accounting` | - | no | | | - |
|
|
| `admin` | - | no | | System default user | - |
|
|
| `Amber M Lee` | - | no | | | - |
|
|
| `Ann Dery` | - | no | | | - |
|
|
| `Anna Pitzlin` | - | no | anna.pitzlin@cascadestucson.com | | - |
|
|
| `Ashley Jensen` | - | no | ashley.jensen@cascadestucson.com | | - |
|
|
| `Britney Thompson` | - | no | Britney.Thompson@cascadestucson.com | | - |
|
|
| `CasAdmin201` | - | no | | | - |
|
|
| `ChristinaDupras` | - | no | | | - |
|
|
| `Crystal Rodriguez` | - | no | Crystal.rodriguez@cascadestucson.com | | - |
|
|
| `Crystal Suszek` | - | no | crystal.suszek@cascadestucson.com | | - |
|
|
| `Dining Manager` | - | no | | | - |
|
|
| `Front Desk` | - | no | | | - |
|
|
| `guest` | - | yes | | Guest | - |
|
|
| `guru` | - | no | | | - |
|
|
| `Haris Durut` | - | no | haris.durut@cascadestucson.com | | - |
|
|
| `JD Martin` | - | no | jd.martin@cascadestucson.com | | - |
|
|
| `John Trozzi` | - | no | | | - |
|
|
| `Karen Rossini` | - | no | karen.rossini@cascadestucson.com | | - |
|
|
| `Lois Lane` | - | no | | | - |
|
|
| `Lupe Sanchez` | - | no | | | - |
|
|
| `mcnurse` | - | no | | | - |
|
|
| `Megan Hiatt` | - | no | | | - |
|
|
| `Memcare Receptionist` | - | no | memcarereceptionist@cascadestucson.com | | - |
|
|
| `memcarenurse` | - | no | memcarenurse@cascadestucson.com | | - |
|
|
| `meredith kuhn` | - | no | meredith.kuhn@cascadestucson.com | | - |
|
|
| `Monica RamirezRossette` | - | no | accounting@cascadestucson.com | | - |
|
|
| `Nela Durut-Azizi` | - | yes | nela.durut-azizi@cascadestucson.com | | - |
|
|
| `Nurse Tower` | - | no | | | - |
|
|
| `Shelby Trozzi` | - | no | shelby.trozzi@cascadestucson.com | | - |
|
|
| `Stephanie Devin` | - | no | Stephanie.devin@cascadestucson.com | Accounting Assist | - |
|
|
| `Susan Hicks` | - | no | | | - |
|
|
| `Tamra Johnson` | - | no | tamra.johnson@cascadestucson.com | | - |
|
|
| `Veronica` | - | no | | | - |
|
|
| `VPNClient` | - | no | | | - |
|
|
|
|
## Groups
|
|
|
|
| Name | GID | Type | Description | Members |
|
|
|---|---:|---|---|---|
|
|
| `administrators` | - | - | | (unable to enumerate via API — error 3201) |
|
|
| `http` | - | - | | (unable to enumerate via API — error 3201) |
|
|
| `MainOffice` | - | - | | (unable to enumerate via API — error 3201) |
|
|
| `users` | - | - | | (unable to enumerate via API — error 3201) |
|
|
|
|
> Note: DSM API `SYNO.Core.Group.Member` returned error 3201 for all groups with this API path; membership was only partially available via the `members` additional field on the group list call. Full membership requires DSM web UI or CLI `synogroup --get <name>` via SSH.
|
|
|
|
## Shares
|
|
|
|
| Share | Volume Path | Hidden | Description |
|
|
|---|---|---|---|
|
|
| `Activities` | /volume1 | False | |
|
|
| `chat` | /volume1 | False | |
|
|
| `homes` | /volume1 | False | |
|
|
| `Management` | /volume1 | False | |
|
|
| `pacs` | /volume1 | False | |
|
|
| `Public` | /volume1 | False | |
|
|
| `SalesDept` | /volume1 | False | |
|
|
| `Sandra Fish` | /volume1 | False | |
|
|
| `Server` | /volume1 | False | |
|
|
| `web` | /volume1 | False | |
|
|
|
|
## Effective share permissions
|
|
|
|
"Admin(full)" means the account inherits full control via administrators-group membership. "RW" means explicitly writable. "DENY" means explicitly denied (wins over everything else in Synology ACL order). Blank / absent means no explicit permission (effectively no access beyond what the users group grants).
|
|
|
|
### Share: `Activities`
|
|
|
|
**Groups:**
|
|
|
|
| Group | Effective |
|
|
|---|---|
|
|
| `MainOffice` | DENY |
|
|
| `administrators` | Admin(full) |
|
|
| `http` | - |
|
|
| `users` | RW |
|
|
|
|
**Users with explicit permission:**
|
|
|
|
| User | Effective | Status |
|
|
|---|---|---|
|
|
| `Accounting` | DENY | ROLE (HIPAA concern) |
|
|
| `admin` | RW | service/admin |
|
|
| `Ann Dery` | DENY | DEPARTED |
|
|
| `Anna Pitzlin` | DENY | DEPARTED |
|
|
| `Ashley Jensen` | RW | current |
|
|
| `Britney Thompson` | RW | DEPARTED |
|
|
| `CasAdmin201` | RW | current |
|
|
| `ChristinaDupras` | DENY | current |
|
|
| `Crystal Rodriguez` | DENY | current |
|
|
| `Crystal Suszek` | DENY | current |
|
|
| `Dining Manager` | DENY | ROLE (HIPAA concern) |
|
|
| `Front Desk` | DENY | ROLE (HIPAA concern) |
|
|
| `guest` | DENY | service/admin |
|
|
| `guru` | RW | service/admin |
|
|
| `Haris Durut` | DENY | DEPARTED |
|
|
| `JD Martin` | DENY | current |
|
|
| `John Trozzi` | DENY | current |
|
|
| `Karen Rossini` | DENY | current |
|
|
| `Lois Lane` | DENY | current |
|
|
| `Lupe Sanchez` | DENY | current |
|
|
| `mcnurse` | DENY | ROLE (HIPAA concern) |
|
|
| `Megan Hiatt` | DENY | current |
|
|
| `Memcare Receptionist` | DENY | ROLE (HIPAA concern) |
|
|
| `memcarenurse` | DENY | ROLE (HIPAA concern) |
|
|
| `meredith kuhn` | DENY | current |
|
|
| `Nela Durut-Azizi` | DENY | DEPARTED |
|
|
| `Nurse Tower` | DENY | ROLE (HIPAA concern) |
|
|
| `Shelby Trozzi` | DENY | current |
|
|
| `Stephanie Devin` | RW | current |
|
|
| `Susan Hicks` | DENY | current |
|
|
| `Tamra Johnson` | DENY | DEPARTED |
|
|
| `Veronica` | RW | current |
|
|
| `VPNClient` | DENY | service/admin |
|
|
|
|
### Share: `Management`
|
|
|
|
**Groups:**
|
|
|
|
| Group | Effective |
|
|
|---|---|
|
|
| `MainOffice` | - |
|
|
| `administrators` | RW |
|
|
| `http` | - |
|
|
| `users` | - |
|
|
|
|
**Users with explicit permission:**
|
|
|
|
| User | Effective | Status |
|
|
|---|---|---|
|
|
| `Accounting` | RW | ROLE (HIPAA concern) |
|
|
| `admin` | RW | service/admin |
|
|
| `Ashley Jensen` | RW | current |
|
|
| `Britney Thompson` | RW | DEPARTED |
|
|
| `CasAdmin201` | RW | current |
|
|
| `Crystal Rodriguez` | RW | current |
|
|
| `Crystal Suszek` | RW | current |
|
|
| `guru` | RW | service/admin |
|
|
| `Lois Lane` | DENY | current |
|
|
| `Megan Hiatt` | RW | current |
|
|
| `meredith kuhn` | RW | current |
|
|
| `Shelby Trozzi` | RW | current |
|
|
| `Stephanie Devin` | RW | current |
|
|
| `Tamra Johnson` | RW | DEPARTED |
|
|
| `Veronica` | RW | current |
|
|
|
|
### Share: `Public`
|
|
|
|
**Groups:**
|
|
|
|
| Group | Effective |
|
|
|---|---|
|
|
| `MainOffice` | DENY |
|
|
| `administrators` | RW |
|
|
| `http` | - |
|
|
| `users` | RW |
|
|
|
|
**Users with explicit permission:**
|
|
|
|
| User | Effective | Status |
|
|
|---|---|---|
|
|
| `Accounting` | RW | ROLE (HIPAA concern) |
|
|
| `admin` | RW | service/admin |
|
|
| `Amber M Lee` | RW | DEPARTED |
|
|
| `Ann Dery` | RW | DEPARTED |
|
|
| `Ashley Jensen` | RW | current |
|
|
| `Britney Thompson` | RW | DEPARTED |
|
|
| `CasAdmin201` | RW | current |
|
|
| `ChristinaDupras` | RW | current |
|
|
| `guru` | RW | service/admin |
|
|
| `JD Martin` | RW | current |
|
|
| `Karen Rossini` | DENY | current |
|
|
| `meredith kuhn` | Admin(full) | current |
|
|
| `Shelby Trozzi` | Admin(full) | current |
|
|
| `Stephanie Devin` | RW | current |
|
|
| `Veronica` | RW | current |
|
|
|
|
### Share: `SalesDept`
|
|
|
|
**Groups:**
|
|
|
|
| Group | Effective |
|
|
|---|---|
|
|
| `MainOffice` | DENY |
|
|
| `administrators` | Admin(full) |
|
|
| `http` | - |
|
|
| `users` | RW |
|
|
|
|
**Users with explicit permission:**
|
|
|
|
| User | Effective | Status |
|
|
|---|---|---|
|
|
| `admin` | RW | service/admin |
|
|
| `Ann Dery` | DENY | DEPARTED |
|
|
| `Anna Pitzlin` | DENY | DEPARTED |
|
|
| `Ashley Jensen` | RW | current |
|
|
| `Britney Thompson` | RW | DEPARTED |
|
|
| `CasAdmin201` | RW | current |
|
|
| `ChristinaDupras` | DENY | current |
|
|
| `Dining Manager` | DENY | ROLE (HIPAA concern) |
|
|
| `Front Desk` | DENY | ROLE (HIPAA concern) |
|
|
| `guru` | RW | service/admin |
|
|
| `Haris Durut` | DENY | DEPARTED |
|
|
| `JD Martin` | DENY | current |
|
|
| `John Trozzi` | DENY | current |
|
|
| `Karen Rossini` | DENY | current |
|
|
| `Lois Lane` | DENY | current |
|
|
| `Lupe Sanchez` | DENY | current |
|
|
| `mcnurse` | DENY | ROLE (HIPAA concern) |
|
|
| `Megan Hiatt` | RW | current |
|
|
| `Memcare Receptionist` | DENY | ROLE (HIPAA concern) |
|
|
| `memcarenurse` | DENY | ROLE (HIPAA concern) |
|
|
| `meredith kuhn` | Admin(full) | current |
|
|
| `Nela Durut-Azizi` | DENY | DEPARTED |
|
|
| `Nurse Tower` | DENY | ROLE (HIPAA concern) |
|
|
| `Shelby Trozzi` | Admin(full) | current |
|
|
| `Veronica` | RW | current |
|
|
|
|
### Share: `Sandra Fish`
|
|
|
|
**Groups:**
|
|
|
|
| Group | Effective |
|
|
|---|---|
|
|
| `MainOffice` | DENY |
|
|
| `administrators` | Admin(full) |
|
|
| `http` | - |
|
|
| `users` | - |
|
|
|
|
**Users with explicit permission:**
|
|
|
|
| User | Effective | Status |
|
|
|---|---|---|
|
|
| `Accounting` | DENY | ROLE (HIPAA concern) |
|
|
| `admin` | RW | service/admin |
|
|
| `Ann Dery` | DENY | DEPARTED |
|
|
| `Anna Pitzlin` | DENY | DEPARTED |
|
|
| `Ashley Jensen` | RW | current |
|
|
| `Britney Thompson` | RW | DEPARTED |
|
|
| `CasAdmin201` | RW | current |
|
|
| `ChristinaDupras` | DENY | current |
|
|
| `Crystal Rodriguez` | DENY | current |
|
|
| `Crystal Suszek` | DENY | current |
|
|
| `Dining Manager` | DENY | ROLE (HIPAA concern) |
|
|
| `Front Desk` | DENY | ROLE (HIPAA concern) |
|
|
| `guest` | DENY | service/admin |
|
|
| `guru` | RW | service/admin |
|
|
| `Haris Durut` | DENY | DEPARTED |
|
|
| `JD Martin` | DENY | current |
|
|
| `John Trozzi` | DENY | current |
|
|
| `Karen Rossini` | DENY | current |
|
|
| `Lois Lane` | DENY | current |
|
|
| `Lupe Sanchez` | DENY | current |
|
|
| `mcnurse` | DENY | ROLE (HIPAA concern) |
|
|
| `Memcare Receptionist` | DENY | ROLE (HIPAA concern) |
|
|
| `memcarenurse` | DENY | ROLE (HIPAA concern) |
|
|
| `meredith kuhn` | DENY | current |
|
|
| `Nela Durut-Azizi` | DENY | DEPARTED |
|
|
| `Nurse Tower` | DENY | ROLE (HIPAA concern) |
|
|
| `Shelby Trozzi` | DENY | current |
|
|
| `Susan Hicks` | DENY | current |
|
|
| `Tamra Johnson` | DENY | DEPARTED |
|
|
| `Veronica` | RW | current |
|
|
| `VPNClient` | DENY | service/admin |
|
|
|
|
### Share: `Server`
|
|
|
|
**Groups:**
|
|
|
|
| Group | Effective |
|
|
|---|---|
|
|
| `MainOffice` | RW |
|
|
| `administrators` | RW |
|
|
| `http` | - |
|
|
| `users` | - |
|
|
|
|
**Users with explicit permission:**
|
|
|
|
| User | Effective | Status |
|
|
|---|---|---|
|
|
| `Accounting` | DENY | ROLE (HIPAA concern) |
|
|
| `admin` | RW | service/admin |
|
|
| `Anna Pitzlin` | DENY | DEPARTED |
|
|
| `Ashley Jensen` | RW | current |
|
|
| `Britney Thompson` | RW | DEPARTED |
|
|
| `CasAdmin201` | RW | current |
|
|
| `ChristinaDupras` | RW | current |
|
|
| `Crystal Rodriguez` | DENY | current |
|
|
| `Crystal Suszek` | DENY | current |
|
|
| `Dining Manager` | DENY | ROLE (HIPAA concern) |
|
|
| `Front Desk` | DENY | ROLE (HIPAA concern) |
|
|
| `guru` | RW | service/admin |
|
|
| `Haris Durut` | DENY | DEPARTED |
|
|
| `JD Martin` | DENY | current |
|
|
| `John Trozzi` | DENY | current |
|
|
| `Karen Rossini` | DENY | current |
|
|
| `Lois Lane` | DENY | current |
|
|
| `Lupe Sanchez` | DENY | current |
|
|
| `Memcare Receptionist` | DENY | ROLE (HIPAA concern) |
|
|
| `meredith kuhn` | Admin(full) | current |
|
|
| `Nela Durut-Azizi` | DENY | DEPARTED |
|
|
| `Nurse Tower` | DENY | ROLE (HIPAA concern) |
|
|
| `Shelby Trozzi` | Admin(full) | current |
|
|
| `Tamra Johnson` | DENY | DEPARTED |
|
|
| `Veronica` | RW | current |
|
|
|
|
### Share: `chat`
|
|
|
|
**Groups:**
|
|
|
|
| Group | Effective |
|
|
|---|---|
|
|
| `MainOffice` | DENY |
|
|
| `administrators` | RW |
|
|
| `http` | - |
|
|
| `users` | - |
|
|
|
|
**Users with explicit permission:**
|
|
|
|
| User | Effective | Status |
|
|
|---|---|---|
|
|
| `Accounting` | DENY | ROLE (HIPAA concern) |
|
|
| `admin` | RW | service/admin |
|
|
| `Anna Pitzlin` | DENY | DEPARTED |
|
|
| `Ashley Jensen` | RW | current |
|
|
| `Britney Thompson` | RW | DEPARTED |
|
|
| `CasAdmin201` | RW | current |
|
|
| `ChristinaDupras` | DENY | current |
|
|
| `Crystal Rodriguez` | DENY | current |
|
|
| `Crystal Suszek` | DENY | current |
|
|
| `Dining Manager` | DENY | ROLE (HIPAA concern) |
|
|
| `guru` | RW | service/admin |
|
|
| `Haris Durut` | DENY | DEPARTED |
|
|
| `JD Martin` | DENY | current |
|
|
| `John Trozzi` | DENY | current |
|
|
| `Karen Rossini` | DENY | current |
|
|
| `Lois Lane` | DENY | current |
|
|
| `Lupe Sanchez` | DENY | current |
|
|
| `mcnurse` | DENY | ROLE (HIPAA concern) |
|
|
| `Memcare Receptionist` | DENY | ROLE (HIPAA concern) |
|
|
| `memcarenurse` | DENY | ROLE (HIPAA concern) |
|
|
| `meredith kuhn` | Admin(full) | current |
|
|
| `Nela Durut-Azizi` | DENY | DEPARTED |
|
|
| `Nurse Tower` | DENY | ROLE (HIPAA concern) |
|
|
| `Shelby Trozzi` | Admin(full) | current |
|
|
| `Tamra Johnson` | DENY | DEPARTED |
|
|
| `Veronica` | RW | current |
|
|
|
|
### Share: `homes`
|
|
|
|
**Groups:**
|
|
|
|
| Group | Effective |
|
|
|---|---|
|
|
| `MainOffice` | RW |
|
|
| `administrators` | RW |
|
|
| `http` | - |
|
|
| `users` | - |
|
|
|
|
**Users with explicit permission:**
|
|
|
|
| User | Effective | Status |
|
|
|---|---|---|
|
|
| `admin` | RW | service/admin |
|
|
| `Ashley Jensen` | RW | current |
|
|
| `Britney Thompson` | RW | DEPARTED |
|
|
| `CasAdmin201` | RW | current |
|
|
| `Front Desk` | DENY | ROLE (HIPAA concern) |
|
|
| `guru` | RW | service/admin |
|
|
| `Karen Rossini` | RW | current |
|
|
| `Lois Lane` | DENY | current |
|
|
| `meredith kuhn` | Admin(full) | current |
|
|
| `Nurse Tower` | DENY | ROLE (HIPAA concern) |
|
|
| `Shelby Trozzi` | Admin(full) | current |
|
|
| `Stephanie Devin` | RW | current |
|
|
| `Veronica` | RW | current |
|
|
|
|
### Share: `pacs`
|
|
|
|
**Groups:**
|
|
|
|
| Group | Effective |
|
|
|---|---|
|
|
| `MainOffice` | DENY |
|
|
| `administrators` | RW |
|
|
| `http` | - |
|
|
| `users` | - |
|
|
|
|
**Users with explicit permission:**
|
|
|
|
| User | Effective | Status |
|
|
|---|---|---|
|
|
| `Accounting` | DENY | ROLE (HIPAA concern) |
|
|
| `admin` | RW | service/admin |
|
|
| `Ann Dery` | DENY | DEPARTED |
|
|
| `Anna Pitzlin` | DENY | DEPARTED |
|
|
| `Ashley Jensen` | RW | current |
|
|
| `Britney Thompson` | RW | DEPARTED |
|
|
| `CasAdmin201` | RW | current |
|
|
| `ChristinaDupras` | DENY | current |
|
|
| `Crystal Rodriguez` | DENY | current |
|
|
| `Crystal Suszek` | DENY | current |
|
|
| `Dining Manager` | DENY | ROLE (HIPAA concern) |
|
|
| `Front Desk` | DENY | ROLE (HIPAA concern) |
|
|
| `guest` | DENY | service/admin |
|
|
| `guru` | RW | service/admin |
|
|
| `Haris Durut` | DENY | DEPARTED |
|
|
| `JD Martin` | DENY | current |
|
|
| `John Trozzi` | DENY | current |
|
|
| `Karen Rossini` | DENY | current |
|
|
| `Lois Lane` | DENY | current |
|
|
| `Lupe Sanchez` | DENY | current |
|
|
| `mcnurse` | DENY | ROLE (HIPAA concern) |
|
|
| `Megan Hiatt` | DENY | current |
|
|
| `Memcare Receptionist` | DENY | ROLE (HIPAA concern) |
|
|
| `memcarenurse` | DENY | ROLE (HIPAA concern) |
|
|
| `meredith kuhn` | DENY | current |
|
|
| `Nela Durut-Azizi` | DENY | DEPARTED |
|
|
| `Nurse Tower` | DENY | ROLE (HIPAA concern) |
|
|
| `Shelby Trozzi` | DENY | current |
|
|
| `Susan Hicks` | DENY | current |
|
|
| `Tamra Johnson` | DENY | DEPARTED |
|
|
| `Veronica` | RW | current |
|
|
| `VPNClient` | DENY | service/admin |
|
|
|
|
### Share: `web`
|
|
|
|
**Groups:**
|
|
|
|
| Group | Effective |
|
|
|---|---|
|
|
| `MainOffice` | DENY |
|
|
| `administrators` | Admin(full) |
|
|
| `http` | - |
|
|
| `users` | - |
|
|
|
|
**Users with explicit permission:**
|
|
|
|
| User | Effective | Status |
|
|
|---|---|---|
|
|
| `Accounting` | DENY | ROLE (HIPAA concern) |
|
|
| `admin` | RW | service/admin |
|
|
| `Ann Dery` | DENY | DEPARTED |
|
|
| `Anna Pitzlin` | DENY | DEPARTED |
|
|
| `Ashley Jensen` | RW | current |
|
|
| `Britney Thompson` | RW | DEPARTED |
|
|
| `CasAdmin201` | RW | current |
|
|
| `ChristinaDupras` | DENY | current |
|
|
| `Crystal Rodriguez` | DENY | current |
|
|
| `Crystal Suszek` | DENY | current |
|
|
| `Dining Manager` | DENY | ROLE (HIPAA concern) |
|
|
| `Front Desk` | DENY | ROLE (HIPAA concern) |
|
|
| `guest` | DENY | service/admin |
|
|
| `guru` | RW | service/admin |
|
|
| `Haris Durut` | DENY | DEPARTED |
|
|
| `JD Martin` | DENY | current |
|
|
| `John Trozzi` | DENY | current |
|
|
| `Karen Rossini` | DENY | current |
|
|
| `Lois Lane` | DENY | current |
|
|
| `Lupe Sanchez` | DENY | current |
|
|
| `mcnurse` | DENY | ROLE (HIPAA concern) |
|
|
| `Megan Hiatt` | DENY | current |
|
|
| `Memcare Receptionist` | DENY | ROLE (HIPAA concern) |
|
|
| `memcarenurse` | DENY | ROLE (HIPAA concern) |
|
|
| `meredith kuhn` | DENY | current |
|
|
| `Monica RamirezRossette` | RW | DEPARTED |
|
|
| `Nela Durut-Azizi` | DENY | DEPARTED |
|
|
| `Nurse Tower` | DENY | ROLE (HIPAA concern) |
|
|
| `Shelby Trozzi` | DENY | current |
|
|
| `Susan Hicks` | DENY | current |
|
|
| `Tamra Johnson` | DENY | DEPARTED |
|
|
| `Veronica` | RW | current |
|
|
| `VPNClient` | DENY | service/admin |
|