292 lines
26 KiB
Markdown
292 lines
26 KiB
Markdown
# User Account Rollout Plan — Cascades of Tucson
|
||
|
||
**Status:** Planning — no account creation or license assignment yet.
|
||
**Created:** 2026-04-22 (Howard)
|
||
**Inputs:**
|
||
- `reports/cascades-staff-2026-04-22.csv` — returned staff-editor questionnaire, 70 rows (source of truth for *who should exist* and *what access posture*)
|
||
- `docs/servers/active-directory.md` — current AD state (42 accounts, 40 enabled)
|
||
- `docs/cloud/caregiver-m365-p2-rollout.md` — caregiver identity/phone plan (39 caregivers)
|
||
- `docs/cloud/p2-staff-candidates.md` — P2 license sizing for the office-staff side
|
||
- `docs/cloud/m365.md` — current M365 tenant state
|
||
|
||
## 1. Scope
|
||
|
||
Build every person on the 2026-04-22 CSV into a consistent AD + M365 identity, licensed and policy-covered according to the **Access / Outside Access / ALIS** posture columns they returned. This plan covers the identity layer only — device/MDM work is already tracked in `caregiver-m365-p2-rollout.md` and the Intune rollout, and folder redirection continues under the existing GPO workstream.
|
||
|
||
**Explicitly out of scope here:**
|
||
- Device enrollment (Intune flow already designed)
|
||
- Folder redirection GPO edits (separate workstream, already validated on DLTAGOI)
|
||
- M365 tenant licensing *purchase* decision (decision gated — see §10)
|
||
|
||
## 2. Personas (derived from CSV access matrix)
|
||
|
||
| Persona | Access | Outside | ALIS | Count | Examples |
|
||
|---|---|---|---|---|---|
|
||
| **Office-PHI (external-OK)** | D+P | Y | Y | 18 | Meredith, Megan, Lois, Susan, Alma, JD, John Trozzi, Lupe |
|
||
| **Office-PHI (in-building)** | D+P | N | Y | 2 | Allison Reibschied, Sharon Edwards |
|
||
| **Office non-PHI (in-building)** | D+P | N | N | 1 | Ramon Castaneda |
|
||
| **Maintenance (in-building PHI)** | D+P | N | Y | 1 | Matt Brooks |
|
||
| **Courtesy Patrol** | D+P | N | N | 3 | Sebastian Leon, Sheldon Gardfrey, Ray Rai |
|
||
| **Shared-PC Reception** | D | N | N | 4 | Cathy, Shontiel, Kyla, Michelle |
|
||
| **Caregiver (shared-phone)** | D+P | N | Y | 37 | See caregiver-m365-p2-rollout.md |
|
||
| **Agency caregivers (per-person)** | D+P | N | Y | 0 | None created. HIPAA-mandated per-person IDs — Reliable must supply names. No shared logins. |
|
||
| **Driver (no IT access)** | — | — | — | 3 | Richard Adams, Julian Crim, Christopher Holick — on roster for tracking, existing AD accounts to be disabled |
|
||
| **Departed (disable/remove)** | — | — | — | 2 | Britney Thompson (has AD+M365, must be disabled), Polett Pinazavala (no account, just remove from roster) |
|
||
|
||
(Identities to create or keep active: **66**. Roster-only-no-account: 3 drivers. Departures: Britney + Polett. No agency accounts created — per-person names required. Christine Nyanzunda sits in one persona — Office-PHI — with her caregiver-shift sign-in handled via exception group if needed.)
|
||
|
||
## 3. License mapping per persona
|
||
|
||
**Guiding principles:**
|
||
1. Default to **Business Premium** tenant-wide (already the recommendation in `p2-staff-candidates.md` — bundles Intune + P2 + Defender + DLP).
|
||
2. Use **F3** only for phone-only users (drivers) where Premium is overkill and F3 covers Exchange/Teams needs.
|
||
3. Reception shared PCs get shared *mailboxes* for `Frontdesk@`, but each named receptionist gets her own licensed account so audits attribute individual actions.
|
||
|
||
| Persona | License | Notes |
|
||
|---|---|---|
|
||
| Office-PHI (external-OK) | **Business Premium** | CA: compliant device OR trusted location |
|
||
| Office-PHI (in-building) | **Business Premium** | CA: trusted location only |
|
||
| Office non-PHI (in-building) | Business Standard (or Premium if tenant-wide) | CA: trusted location only |
|
||
| Maintenance PHI (Matt Brooks) | **Business Premium** | MC-adjacent role, ALIS=Y |
|
||
| Courtesy Patrol | Business Standard | Could be F3 if they don't need full desktop Office; confirm with Meredith |
|
||
| Shared-PC Reception | Business Standard | Frontdesk@ stays as shared mailbox, named accounts read it |
|
||
| Caregiver | **Business Premium** | Per `caregiver-m365-p2-rollout.md` — P2 is load-bearing for shared-phone CA |
|
||
| Agency caregivers (per-person) | **Business Premium** each | Only provisioned when Reliable Agency provides individual names. Zero created as of 2026-04-22. |
|
||
| Driver | **None** | No IT access — accounts disabled. License previously used (if any) harvested. |
|
||
| Britney Thompson (departing) | **None** (harvest) | Disable account, free Business Standard + Exchange Online Essentials |
|
||
|
||
Expected license count at full rollout:
|
||
- Business Premium: 18 (office PHI ext) + 2 (office PHI int) + 1 (Matt) + 37 caregivers = **58**
|
||
- Business Standard: 1 (Ramon) + 3 courtesy + 4 reception = **8**
|
||
- F3: 0 (drivers no longer need accounts)
|
||
- Per-person agency: +1 each if/when Reliable Agency provides names
|
||
|
||
**Post-2026-04-22 update:** With the building-only-by-default CA decision confirmed, every licensed user needs Entra P1 coverage (either via Business Premium, or Business Standard + standalone Entra P1). Without P1, CA policies don't apply and the user sidesteps the default-deny. This effectively collapses the mixed-SKU table above into a recommendation for **Business Premium tenant-wide (~68 seats)** — the Business Standard rows stay in the table only as a reference for what we'd buy if budget forces unbundling. Proceed with Premium-tenant-wide unless Meredith pushes back. Britney's harvested Business Standard + Exchange Online Essentials license plus any freed driver licenses go back into the pool to offset the Premium purchase.
|
||
|
||
## 4. AD OU + group layout (proposed)
|
||
|
||
Current `cascades.local` OU layout is loose (see `docs/servers/active-directory.md`). Proposed structure to align with the persona matrix and folder-redirection GPOs already in place:
|
||
|
||
```
|
||
OU=Cascades Users
|
||
├── OU=Administrative
|
||
├── OU=Marketing (new name for existing Marketing dept)
|
||
├── OU=Care-AssistedLiving
|
||
├── OU=Care-MemoryCare
|
||
├── OU=ResidentServices
|
||
│ ├── OU=FrontDesk (reception shared-PC users)
|
||
│ └── OU=CourtesyPatrol
|
||
├── OU=LifeEnrichment
|
||
├── OU=Culinary
|
||
├── OU=Maintenance
|
||
├── OU=Housekeeping
|
||
├── OU=Transportation (drivers)
|
||
└── OU=Caregivers (all 37 shift staff)
|
||
```
|
||
|
||
**Security groups (AD-synced, Entra-usable):**
|
||
- `SG-Office-PHI-External` — 19 people, drives CA policy + Premium license group
|
||
- `SG-Office-PHI-Internal` — 2 people (Allison, Sharon)
|
||
- `SG-CourtesyPatrol` — 3
|
||
- `SG-FrontDesk` — 4
|
||
- `SG-Drivers` — 3
|
||
- `SG-Caregivers` — 37 (already exists or needs creating — check against current `Cascades - Shared Phones` Entra group, which may already cover this)
|
||
|
||
CA policies target groups, not OUs. OUs drive GPO inheritance (folder redirection, local policy) only.
|
||
|
||
## 5. Conditional Access policy set
|
||
|
||
**Decision 2026-04-22 (Howard → Meredith/John):** Default-deny external sign-in for all licensed users. Maintain a small allow-list group for users who legitimately work off-site.
|
||
|
||
This collapses the earlier per-persona policy matrix into two primary CA policies plus the existing caregiver shared-phone policy:
|
||
|
||
| Policy | Targets | Grant |
|
||
|---|---|---|
|
||
| `CSC - Building Only (Default)` | All licensed users **except** `SG-External-Signin-Allowed` and `SG-Caregivers` | Block sign-in unless from the "Cascades Building" named location + MFA |
|
||
| `CSC - External Sign-in Allowed` | `SG-External-Signin-Allowed` | Require compliant Intune-enrolled device + MFA for external sign-in; trusted-location sign-in waives the compliance grant |
|
||
| `CSC - Caregivers Shared Phone` | `SG-Caregivers` | Already designed per `caregiver-m365-p2-rollout.md` (shared-phone Intune + named location) |
|
||
| `CSC - Drivers Phone-Only` | `SG-Drivers` | Require compliant Intune-managed phone; no web fallback. Drivers added to `SG-External-Signin-Allowed` as well if they need off-site phone access. |
|
||
|
||
**Initial `SG-External-Signin-Allowed` membership** — seed from the CSV's Outside=Y column, post-2026-04-22 updates. All 18 office-PHI staff (including Alma R Montt). Everyone else stays on the default building-only policy until Meredith adds them. Britney is no longer on this list — she departed 2026-04-22.
|
||
|
||
**Named location "Cascades Building":** Define once, reuse. Use the site's public IP range(s) from pfSense NAT (`clients/cascades-tucson/pfsense-firewall.sops.yaml`).
|
||
|
||
**Exception-management process:** Adding a user to `SG-External-Signin-Allowed` is a named-access request that should be logged (ideally in the client's Syncro ticketing or a simple note in the client folder). Removal is equally important — e.g., Tamra Matthews comes off the list on her June 2026 departure in addition to her license being deactivated.
|
||
|
||
**Impact on licensing:** All users covered by either CA policy need at least Entra P1 (bundled with Business Premium). This reinforces the default recommendation of Business Premium tenant-wide — Business Standard users couldn't be covered by the CA default-deny without an add-on, and a mixed tenant is harder to reason about.
|
||
|
||
## 6. Pre-flight reconciliation (CSV vs current AD)
|
||
|
||
These must be resolved before creating or converting accounts. See also `cascades-staff-followup-2026-04-22.md`.
|
||
|
||
| Discrepancy | Status | Action |
|
||
|---|---|---|
|
||
| **Britney Thompson** — in AD (enabled, Memory Care Nurse) | **RESOLVED 2026-04-22 (John's reply) — DEPARTED.** | Disable AD account `britney.thompson`. Convert mailbox to shared (or archive + delete). Remove Business Standard + Exchange Online Essentials license (harvested). Remove from any security groups. |
|
||
| **Polett Pinazavala** — was on 2026-04-18 caregiver roster | **RESOLVED 2026-04-22 (John's reply) — DEPARTED.** | Remove from roster. No existing account — no AD/M365 action needed. |
|
||
| **Drivers (Richard Adams, Julian Crim, Christopher Holick)** — all have AD accounts + Transportation@ shared mailbox | **Decision 2026-04-22 (Howard) — drivers no longer get IT access.** | Disable the 3 AD accounts. Keep them on the working roster for employee tracking. Separate decision: keep or retire `Transportation@` shared mailbox — ask Meredith. |
|
||
| **Christine Nyanzunda** — one person, MC Admin + part-time Sun/Mon MedTech | **Resolved 2026-04-22 (Howard) — one account covers both roles.** | Single account in `OU=Care-MemoryCare`. Default building-only CA policy. When she's covering a MedTech shift she logs into the shared MC phone with her own account. If that sign-in gets blocked by the shared-phone CA, add her to a specific exception group rather than splitting into two accounts. |
|
||
| **Alma R Montt** — on CSV (Life Enrichment), NOT in AD | **RESOLVED 2026-04-22 (John's reply).** Username `Alma.Montt`, title "Memory Care Life Enrichment", D+P, ALIS=Y, Outside=Y. LE staff assigned to Memory Care residents — stays in `OU=Life Enrichment`. | Create AD account `Alma.Montt` (UPN `alma.montt@cascadestucson.com`). Add to SG-External-Signin-Allowed (Outside=Y). |
|
||
| **Kyla QuickTiffany** — on CSV and in AD "needs account" list | **Resolved 2026-04-22 (Howard, per Kyla's preference): `Kyla.QuickTiffany`** — last name treated as a single word. | Create AD account `Kyla.QuickTiffany` (UPN `kyla.quicktiffany@cascadestucson.com`). Persona: Shared-PC Reception. Building-only, no outside sign-in. |
|
||
| **Ederick Yuzon** — spelling not confirmed | **Still pending Meredith/John.** | Block on creation of his caregiver account only. Everyone else proceeds. Tentative: `Ederick.Yuzon` if needed to unblock Wave 3. |
|
||
| **Matt Brooks** — AD dept = Maintenance, CSV note "works in both departments" | Confirmed (CSV-inline). | Keep in Maintenance OU; add to secondary MC group for access overlap. |
|
||
| **37 caregivers** — on CSV, none in AD | Unchanged. | Create all 37 AD accounts (+ M365) in Wave 3. |
|
||
| **2 agency placeholders** — on CSV, not in AD | **RESOLVED 2026-04-22 (Howard, post-HIPAA-review) — NO shared logins. Per-person accounts only.** | Do NOT create `reliable1`/`reliable2`. Reliable Agency must supply individual names before any caregiver can access PHI. Until then, agency staff work under direct supervision of a Cascades-employed caregiver who is signed in. Rationale documented in `docs/security/hipaa-review-2026-04-22.md`. |
|
||
| **Generic AD accounts** (`Culinary`, `RECEPTIONIST`, `saleshare`, `directoryshare`) | Unchanged. | Phase 5 cleanup after named-account coverage. |
|
||
|
||
**Username convention for new accounts:** TitleCase `First.Last` (e.g., `Alma.Montt`, `Kyla.QuickTiffany`). Existing lowercase exceptions in AD (`britney.thompson`, `karen.rossini`, `lauren.hasselman`) are the known legacy cases — leave as-is, don't rename. All net-new accounts follow TitleCase.
|
||
|
||
## 7. Rollout sequence
|
||
|
||
### Wave 0 — HIPAA pre-flight (must complete before any account changes)
|
||
|
||
Per `docs/security/hipaa-review-2026-04-22.md`. These are compliance blockers, not operational blockers — fix before touching accounts.
|
||
|
||
- **Sign Microsoft HIPAA BAA** (5 min, free) — M365 Admin Center → Settings → Org Settings → Security & Privacy → HIPAA BAA
|
||
- **Verify/sign ALIS BAA** (Meredith-ask)
|
||
- **Create break-glass cloud-only admin** (`breakglass@cascadestucson.com`): excluded from all CA, FIDO2 security key, vaulted password, sign-in alerts to Howard + Meredith
|
||
- **Enable SMB3 encryption** on `\\CS-SERVER\homes`: `Set-SmbShare -Name homes -EncryptData $true`
|
||
- **Extend M365 audit retention** to 6+ years (Purview Audit Premium add-on or retention policy)
|
||
- **Put Britney's mailbox on Litigation Hold** with verified archive license — BEFORE her account is disabled
|
||
- **Ask Meredith** for the Reliable Agency staffing contract (confirm direct-control language = workforce, not BA)
|
||
- **Draft Risk Analysis** `docs/security/risk-analysis-2026-04.md` following NIST 800-66 Rev 2 §3
|
||
- **Create Security Rule Implementation Register** `docs/security/implementation-register.md`
|
||
|
||
### Wave 0.5 — Entra Connect / AD-M365 identity tie-in (before any account creation in Wave 1)
|
||
|
||
Without Entra Connect, new accounts are cloud-only and create the same AD-vs-M365 drift the tenant already suffers from.
|
||
|
||
**Staged enablement — each gate must pass before advancing to the next:**
|
||
|
||
| Gate | What happens | User-visible impact | Pass criteria before advancing |
|
||
|---|---|---|---|
|
||
| **G1. AD prereq hygiene** | Renames, UPN suffix add, `proxyAddresses` populate, null-password account cleanup, former-employee deletes | None | `Get-ADUser` report shows 0 UPN mismatches vs. the M365 mailbox list; 0 enabled accounts with null `PasswordLastSet` |
|
||
| **G2. Role-account → shared mailbox conversions in M365** | Convert `accounting@`, `frontdesk@`, `hr@`, `transportation@`, etc. to shared mailboxes per `docs/cloud/m365.md` | Licensed-user count drops, frees ~11 seats | Every role-based UPN shows as shared mailbox in Exchange Admin; members are assigned |
|
||
| **G3. Connect install in STAGING MODE** | Sync engine runs, reads AD, produces preview report. **No writes to Entra.** | None | Preview shows ≥95% clean soft-matches against existing M365 users; zero unintended duplicate-creates |
|
||
| **G4. Take out of staging, directory sync ONLY (no Password Hash Sync)** | Hybrid identity appears in Entra. Passwords remain separate between AD and M365. | None — users sign in exactly as today | 48 hours stable with no new support tickets about sign-in |
|
||
| **G5. Announce + enable Password Hash Sync** | AD password hash pushes to Entra. Next Outlook / Teams / Edge launch, prompts once for password. Users enter AD password. | **ONE password prompt, once.** After that: one password for everything. | Zero unresolved helpdesk tickets; test user confirms PC + Outlook + OWA work on same password |
|
||
| **G6. Conditional Access policies go live in REPORT-ONLY mode** | CA evaluates every sign-in and records what WOULD have been blocked, but doesn't actually block. | None | 7–14 days of logs reviewed — zero "would have been blocked" events for legitimate users. Fix trusted-location / compliance gaps as needed. |
|
||
| **G7. CA enforcement flip** | Policy blocks out-of-scope sign-ins for real. | Off-site users unexpectedly on the allow-list see no change; users NOT on allow-list get blocked from outside the building as intended. | Break-glass account confirmed working. Meredith notified. |
|
||
| **G8 (separate project). ALIS SSO Enterprise App registration** | "Sign in with Microsoft" option appears on ALIS login. Existing ALIS username/password keeps working during transition. | Optional new sign-in button. | N/A — rollout when ALIS support has provided federation metadata. |
|
||
|
||
**Rollback points:** G3 through G5 all have clean reverse paths (remove from staging, disable PHS, reset individual passwords). G6/G7 CA policies can be disabled with one click. Only hard-to-reverse step is G1's AD renames — mitigated by the pre-change reg-exports/backups already in the `D:\Backups\pre-entra-connect-*` folder from the 2026-04-22 preflight remediation.
|
||
|
||
**Original install-order prerequisites (covered by G1):**
|
||
|
||
1. **AD prereq cleanup** (no user impact — all reversible):
|
||
- Rename `Tamra.Johnson` → `Tamra.Matthews`
|
||
- Rename `strozzi` → `Shelby.Trozzi`
|
||
- Rename `Alyssa.Shestko` → `Alyssa.Brooks` + delete lowercase duplicate `alyssa.brooks`
|
||
- Fix `Christopher.Holik` → `Christopher.Holick`
|
||
- Fix `Matt.Brooks` UPN to `matthew.brooks@` OR update M365 side to `matt.brooks@`
|
||
- Delete confirmed former employees (Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez)
|
||
- Disable + remove legacy accounts (Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery)
|
||
2. **Add UPN suffix** `cascadestucson.com` in AD Domains and Trusts
|
||
3. **Update all synced users' UPN** to `firstname.lastname@cascadestucson.com`
|
||
4. **Convert M365 role-based accounts to shared mailboxes** FIRST (accounting@, frontdesk@, hr@, etc. — listed in `docs/cloud/m365.md`) — frees 11 licenses
|
||
5. **Delete** `Kristiana Dowse` and `howaed` typo accounts from M365
|
||
6. **Reconcile** `nick pavloff` (M365-only) — create AD account if still employed, or delete
|
||
7. **CS-SERVER readiness check** (separate task — OS version, .NET, disk, FSMO, conflict with QuickBooks DB listener)
|
||
8. **Install Entra Connect in staging mode** on CS-SERVER → Password Hash Sync → Seamless SSO → scope to `OU=Departments`
|
||
9. **Review planned sync output** for unexpected matches/duplicates
|
||
10. **Take out of staging**, verify users see their cloud mailboxes working on the same password
|
||
11. **Communicate to users:** Outlook will prompt once for password; enter your Windows password
|
||
|
||
User-visible impact: one Outlook password prompt on day-of-cutover. **No impact on AD domain logon.**
|
||
|
||
### Wave 1 — Departures + new office accounts (ready after Waves 0 and 0.5)
|
||
- Disable `britney.thompson` AD account — AFTER Litigation Hold is confirmed, mailbox converted to shared with designated custodian (likely Meredith or Lois), Business Standard + Exchange Online Essentials license harvested
|
||
- Disable 3 driver AD accounts (`Richard.Adams`, `Julian.Crim`, `Christopher.Holick`)
|
||
- Ask Meredith whether to keep or retire `Transportation@` shared mailbox
|
||
- Create AD accounts (and let Entra Connect sync to M365) for:
|
||
- Alma R Montt (`Alma.Montt` — Memory Care Life Enrichment, D+P, ALIS=Y, Outside=Y)
|
||
- Kyla QuickTiffany (`Kyla.QuickTiffany` — Shared-PC Reception, D only, building-only)
|
||
- Validate group membership + CA policy assignment on the new accounts before moving to Wave 2
|
||
- Pilot the `CSC - Building Only (Default)` policy with Kyla (Report-only mode first)
|
||
|
||
### Wave 1 — DO NOT DO
|
||
- Do NOT create `reliable1@` or `reliable2@` shared agency accounts (HIPAA review 2026-04-22). See §6 reconciliation + `docs/security/hipaa-review-2026-04-22.md`.
|
||
|
||
### Wave 2 — Existing office accounts, reassignment only
|
||
- Move existing users into new OU layout (no identity changes, just OU move + group membership)
|
||
- Attach each to the correct `SG-*` group based on CSV persona
|
||
- CA policies begin applying; watch for sign-in failures
|
||
|
||
### Wave 3 — Caregiver bulk creation
|
||
- Execute `caregiver-m365-p2-rollout.md` rollout — 37 AD + M365 accounts, SG-Caregivers, shared-phone CA
|
||
- Already designed; this plan just sequences it after office wave
|
||
|
||
### Wave 4 — Cleanup
|
||
- Disable/remove `Culinary`, `RECEPTIONIST`, `saleshare`, `directoryshare` generics once their functions are covered by named accounts + shared mailboxes
|
||
- Disable Tamra's account on her June 2026 departure (other known departures: none as of 2026-04-22)
|
||
- Rotate `krbtgt` password (noted stale in AD doc — overdue)
|
||
|
||
## 8. Account creation template (per new user)
|
||
|
||
Applies to Wave 1 + Wave 3 (and any future hire). Precise script will be built later; plan-level checklist:
|
||
|
||
1. AD account: `First.Last` (consistent with existing convention; note lowercase exceptions for Britney, Karen, Lauren — new accounts use TitleCase)
|
||
2. UPN: `first.last@cascadestucson.com`
|
||
3. Password: auto-generated, stored in vault (`clients/cascades-tucson/new-user-<name>.sops.yaml`), delivered to Meredith via 1Password share
|
||
4. OU placement per persona
|
||
5. Group membership: department-appropriate `SG-*`
|
||
6. M365 license assignment (group-based if feasible)
|
||
7. Mailbox creation (Exchange Online)
|
||
8. ALIS account provisioning (separate system — Meredith/Lois handle)
|
||
9. MFA registration — push to user first login
|
||
10. Confirmation email to Meredith with username + password-share link
|
||
|
||
## 9. Dependencies on other workstreams
|
||
|
||
- **Folder redirection GPO rollout** (`CONTEXT.md` §48) — when we move users to new OUs, make sure the FR GPOs are re-linked to the new OU or stay linked to parent `OU=Cascades Users`. Test on one mover before batch.
|
||
- **Intune phone rollout** (`PROJECT_STATE.md`) — caregiver accounts must exist before Wave 3 of phone deployment (24 remaining Samsung A15s). Identity-first, device-second.
|
||
- **Business Premium purchase proposal** (`docs/proposals/m365-premium-upgrade.md`) — blocks wave 1 if Meredith hasn't approved license spend.
|
||
- **File-share migration: Synology → CS-SERVER** (`docs/migration/phase2-server-prep.md` §4c–4d + `docs/migration/phase4-synology.md`) — Synology Drive Client is live-syncing `\\cascadesds\*` → `D:\Shares\Main` on CS-SERVER (confirmed 2026-03-07). Before users are cut over to CS-SERVER-sourced mapped drives, the AD security groups used for NTFS ACLs on CS-SERVER (`SG-Management-RW`, `SG-Sales-RW`, `SG-Culinary-RW`, `SG-Directory-RW`, `SG-IT-RW`, `SG-Receptionist-RW`, `SG-Chat-RW`, `SG-Server-RW`) must:
|
||
1. Exist in AD (created by `scripts/phase2-ad-setup.ps1`)
|
||
2. Have membership that matches the current per-user access on Synology — a **permission-inventory** step (see below) must produce this mapping before `scripts/phase2-file-shares.ps1` runs
|
||
3. Populate from the user rollout waves — the 22 office-PHI users, 4 receptionists, 3 courtesy patrol, 1 Matt Brooks (dual-dept), 1 Ramon Castaneda, plus caregivers as needed all land in the right `SG-*` groups at account creation
|
||
- Additional HIPAA additions to the phase2 script (per `docs/security/hipaa-review-2026-04-22.md`): enable SMB3 encryption (`Set-SmbShare -EncryptData $true` on every share) and enable Object Access auditing for §164.312(b) Audit Controls
|
||
- Drivers off the SG-* lists entirely — they lose file-share access along with their AD accounts
|
||
|
||
### Permission-inventory prerequisite
|
||
|
||
A one-time non-destructive read of the live Synology is needed to produce the mapping from Synology local users/groups → AD security groups. Commands (run via SSH to `admin@192.168.0.120`, creds at `clients/cascades-tucson/synology-cascadesds.sops.yaml`):
|
||
|
||
```bash
|
||
sudo synogroup --list # Synology local groups
|
||
sudo synouser --list # Synology local users
|
||
sudo cat /etc/synoinfo.conf | grep -i share # share definitions
|
||
for share in homes Management SalesDept Server chat Public Culinary IT Receptionist directoryshare; do
|
||
sudo synoacltool -get /volume1/$share # ACLs per share
|
||
done
|
||
sudo synoshare --get homes # per-share config incl. SMB encryption state
|
||
```
|
||
|
||
Output goes to `docs/migration/synology-permission-inventory.md`, which is then the reference for populating AD groups and building `phase2-file-shares.ps1` inputs. Discovery is non-destructive and can run any time the Synology is up — does not require a maintenance window.
|
||
|
||
## 10. Open decisions blocking the rollout
|
||
|
||
1. **Business Premium tenant-wide vs. mixed SKUs** — Meredith, tied to the upgrade proposal. Building-only-by-default decision reinforces Premium tenant-wide (see §5). **Only remaining BIG decision.**
|
||
2. **Ederick Yuzon spelling** — Meredith/John, asked in the 2026-04-22 email and not yet answered. Only blocks Ederick's own account creation, not the rest of Wave 3.
|
||
3. **Transportation@ shared mailbox** — keep for dispatch/scheduling emails or retire once driver AD accounts are disabled?
|
||
|
||
**Resolved 2026-04-22:**
|
||
- Restrict-everyone default vs. selective → **building-only by default, allow-list for exceptions** (§5).
|
||
- Christine Nyanzunda → one account covers both roles.
|
||
- Kyla → `Kyla.QuickTiffany` (her preference).
|
||
- Alma R Montt → `Alma.Montt`, title "Memory Care Life Enrichment", D+P, ALIS=Y, Outside=Y (answered by John).
|
||
- Britney Thompson → **departed (John)**. Disable AD + harvest license.
|
||
- Polett Pinazavala → **departed (John)**. Remove from roster.
|
||
- Agency shared logins → **NOT CREATED** (HIPAA review supersedes John's confirmation — §164.312(a)(2)(i) prohibits shared PHI-access log-ons). Per-person accounts only when Reliable Agency provides names.
|
||
- Drivers → no IT access per Howard. Disable 3 AD accounts. Stay on roster for tracking.
|
||
|
||
## 11. Related docs
|
||
|
||
- `reports/cascades-staff-2026-04-22.csv`
|
||
- `docs/cloud/cascades-staff-followup-2026-04-22.md`
|
||
- `docs/cloud/p2-staff-candidates.md`
|
||
- `docs/cloud/caregiver-m365-p2-rollout.md`
|
||
- `docs/cloud/m365.md`
|
||
- `docs/servers/active-directory.md`
|
||
- `docs/proposals/m365-premium-upgrade.md`
|
||
- `docs/security/hipaa.md`
|