11 KiB
Dataforth — Proposed Target Folder Structure (DRAFT / strawman)
By: ACG (Howard) · Date: 2026-06-22 · Status: DRAFT — pre-client-input Inputs: inferred from existing shares + folder contents in current-state-2026-06-10.md, acl-audit-detail-2026-06-10.md, and the ENGR exploration notes. Refine against Dataforth's access matrix (Phase 1 reply) before sign-off.
Purpose: lay out as much of the Phase 2 target-state design as we can from the data we already have — the way Dataforth has their shares arranged today already tells us their departments and data domains. This maps the current sprawl onto the common departmental-share pattern. Nothing here is implemented; it is the proposal we hand the client (simplified) for confirmation.
1. What today's layout tells us (departments inferred from the data)
Their existing shares/folders are effectively organized by department already — just spread across eight shares with no access control. Reading the structure backwards gives us a strong starting department list:
| Evidence in current shares/folders | Implied department / domain |
|---|---|
Engineering (B:), e-drive ENGR/ECO'S/FMEA/TE, archive (Y:), ATE/DESIGN/Project Reports |
Engineering (+ Test Engineering sub) |
| c-drive Manufacturing / Production Control / SMT; e-drive MANUFACT | Manufacturing / Production |
| FMEA, ECO'S, Test Equipment, calibration/ATE | Quality / Calibration |
sales (W:) — marketing, contacts, RMAs, shipping handoffs |
Sales & Marketing |
| c-drive Shipping; sales shipping handoffs | Shipping / Receiving |
| c-drive Purchasing, Purchase Orders | Purchasing |
sage (S:), e-drive QBfiles, invoices, financial reports |
Accounting / Finance (restricted) |
| c-drive Payroll | Payroll / HR (restricted) |
| c-drive OSHA 300 / OSHA Safety Training | HR / Safety (restricted) |
itsvc, webshare (datasheet automation) |
IT (+ app/infra) |
| Person-named + "Do not use" folders across c-drive/sales | legacy → Archive / cleanup |
Departments we can confidently propose: Engineering, Manufacturing/Production, Quality/Calibration, Sales & Marketing, Shipping/Receiving, Purchasing, Accounting/Finance, HR/Payroll, IT, Management/Exec. (Matches the discovery-email starter list — the existing data corroborates it.)
2. Target structure — the "north star" (consolidated departmental share)
The standard pattern: one logical tree, departmental subfolders, a broken-inheritance Restricted branch for sensitive data, a read-mostly Company-Wide area, per-user Users home folders, and a read-only Archive. Access-Based Enumeration (ABE) on so people only see what they can open.
Company\ (one tree; can stay multi-drive-letter mapped — see §4)
|
+-- Departments\
| +-- Engineering\ ENGR, ECO'S, FMEA, DESIGN, Project Reports, MTBF, LABEL
| | +-- Test-Engineering\ ATE, Test Equipment, TESTLOGS, Tester Notebooks
| | +-- Custom-Products\
| +-- Manufacturing\ Production Control, SMT, MANUFACT, Scanned (mfg travelers)
| +-- Quality\ FMEA (quality copy), Calibration, Test Equipment records
| +-- Sales-Marketing\ contacts, RMAs, videos, weekly updates, marketing assets
| +-- Shipping-Receiving\ shipping handoffs, packing/labels
| +-- Purchasing\ vendor files, (Purchase Orders -> see Restricted)
| +-- IT\ tools/notes (software depot stays in ITSvc, see §5)
|
+-- Restricted\ (inheritance BROKEN; no Domain Users; per-area groups)
| +-- Accounting-Finance\ Sage data refs, invoices, financial reports, QBfiles
| +-- Payroll\ (from c-drive Payroll)
| +-- HR\ personnel, policies-confidential
| +-- OSHA\ OSHA 300, Safety Training records
| +-- Purchase-Orders\ (from c-drive — finance-sensitive)
|
+-- Company-Wide\ (all staff: Read; limited Write groups)
| +-- Forms\
| +-- Policies\ (non-confidential, published)
| +-- Templates\
| +-- Scanned-Documents\ (general intake; mfg-specific -> Manufacturing)
| +-- Documents\ (general company docs from c-drive)
|
+-- Users\ (per-user home folders; only owner + admins)
|
+-- Archive\ (read-only historical; legacy + "Do not use" landing zone)
+-- Engineering-Archive\ (current Y: archive)
+-- Former-Staff\ (person-named folders pending cleanup decision)
App / infra shares stay OUT of this tree and are handled case-by-case (§5).
3. Where each current share/folder lands (migration map)
| Today | Target location | Notes |
|---|---|---|
| Q: c-drive \ Documents | Company-Wide\Documents |
confirm any dept-specific subfolders |
| Q: c-drive \ Manufacturing, Production Control, SMT | Departments\Manufacturing |
|
| Q: c-drive \ Shipping | Departments\Shipping-Receiving |
|
| Q: c-drive \ Purchasing | Departments\Purchasing |
|
| Q: c-drive \ Scanned Documents | Company-Wide\Scanned-Documents |
split mfg travelers to Manufacturing if needed |
| Q: c-drive \ Payroll | Restricted\Payroll |
broken inheritance, HR/Payroll group only |
| Q: c-drive \ OSHA 300 / OSHA Safety Training | Restricted\OSHA |
HR/Safety group only |
| Q: c-drive \ Purchase Orders | Restricted\Purchase-Orders |
Purchasing + Finance only |
| Q: c-drive \ person-named / "Do not use" | Archive\Former-Staff |
after migration-gap audit clears |
| T: e-drive \ ENGR, ECO'S, FMEA | Departments\Engineering |
|
| T: e-drive \ Test Engineering (TE) | Departments\Engineering\Test-Engineering |
|
| T: e-drive \ MANUFACT | Departments\Manufacturing |
dedupe vs c-drive Manufacturing |
| T: e-drive \ QBfiles (QuickBooks) | Restricted\Accounting-Finance |
get it off the open eng drive |
| S: sage (Sage ERP) | Restricted\Accounting-Finance (refs) |
app paths stay put — see §5 caution |
| W: sales | Departments\Sales-Marketing |
shipping handoffs -> Shipping-Receiving subfolder or shared |
| Y: archive (ENGR archive) | Archive\Engineering-Archive |
read-only |
| B: Engineering (ENGR: ATE/DESIGN/etc.) | Departments\Engineering (+ Test-Engineering) |
largest store; AD1 C: ~90% full — destination decision needed |
| itsvc | stays ITSvc (IT depot) |
not in dept tree; §5 |
| X: webshare | stays webshare |
app/automation; preserve svc_testdatadb; §5 |
| test | stays test |
DOS/SMB1 — untouched, excluded |
4. Drive-letter strategy (keep habits, change permissions)
Two ways to deliver the structure above:
- Option A — Keep current drive letters (recommended for phase 1 of rollout). Leave Q/S/T/W/Y/B mapped where they are; reorganize folders within each share and apply department groups. Lowest disruption, no app/path breakage, no retraining. The "Company / Departments / Restricted" tree is realized logically across the existing shares rather than physically consolidated on day one.
- Option B — Consolidate to one mapped drive (e.g. one
Companyshare, ABE on, single letter) once apps and muscle-memory allow. Cleaner long-term, but risks hard-coded UNC paths (DOS, Sage, datasheet pipeline, GageTrak/Epicor shortcuts) and user retraining.
Recommendation: ship Option A structure + groups first (safe, reversible), hold Option B consolidation as a later optional phase after the app-path audit. Either way the permission model is identical — only the physical/mapping layout differs.
5. Excluded app / infra shares (do NOT fold into the dept tree)
test(AD2) — DOS test stations, SMB1 + Guest:Read. Leave exactly as-is.webshare(AD2) — datasheet automation. Preservesvc_testdatadb:Full; restrict human access to IT/Engineering; do not move paths.ITSvc(AD1) — IT software depot. KeepDomain Computers:Read(deployment); IT-RW.sageapp data (SAGE-SQL) — Sage ERP reads/writes here; do not relocate the live data path. Restrict via group at the share, but keep the UNC stable for the app/SQL.NETLOGON/SYSVOL— never touch.
6. AD security groups this implies (naming SG-<Resource>-<RW|RO>)
Derived directly from the structure above — RW for the owning dept, RO where another dept needs visibility (confirm RO grants with the client matrix):
SG-Engineering-RW SG-Engineering-RO
SG-Manufacturing-RW SG-Manufacturing-RO
SG-Quality-RW SG-Quality-RO
SG-Sales-RW SG-Sales-RO
SG-Shipping-RW SG-Shipping-RO
SG-Purchasing-RW SG-Purchasing-RO
SG-IT-RW
SG-Accounting-RW SG-Accounting-RO (Restricted\Accounting-Finance)
SG-Payroll-RW (Restricted\Payroll)
SG-HR-RW (Restricted\HR, OSHA)
SG-PurchaseOrders-RW SG-PurchaseOrders-RO (Purchasing + Finance)
SG-CompanyWide-RW (everyone = RO by default via Authenticated Users:Read)
- Users get Modify via the RW group (never Full); SYSTEM/Administrators keep Full.
- Restricted branch: no
Domain Users, inheritance broken, only the named group. - Management/Exec cross-access handled by adding execs to the RO groups they need (not by re-opening shares).
7. What still needs the client (gates Phase 2 sign-off)
This draft fills in everything inferable from the existing layout. Still must come from Dataforth before build:
- Confirm the department list (we inferred it; they validate).
- The access matrix — for each department, RW / RO / none per area (the grid in the discovery email). Our map above assumes "owning dept RW, others none" except where noted.
- Sensitive-data named access — exactly who sees Payroll, OSHA, POs, Accounting (likely HR/Finance sign-off, not just Dan).
- Rosters — who is in each department (to populate groups).
- Cleanup approval — which person-named / "Do not use" folders archive vs delete.
- Engineering destination — AD1 C: ~90% full; the big ENGR store needs a target volume before any restructure/consolidation.
8. Sequencing note
This slots into Phase 2 (Target-state design) of roadmap.md. It is the
strawman to (a) sanity-check internally and (b) simplify into the client sign-off doc once
the Phase 1 matrix arrives. Build order stays lowest-risk-first
(archive -> sales -> c-drive/e-drive -> Engineering -> Restricted last), additive groups
first, remove Everyone/Domain Users only after pilot validation.