Files
claudetools/clients/dataforth/docs/projects/shares-permissions/target-structure-draft-2026-06-22.md
Howard Enos 86c789a7f9 sync: auto-sync from HOWARD-HOME at 2026-06-22 18:54:25
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-22 18:54:25
2026-06-22 18:55:00 -07:00

199 lines
11 KiB
Markdown

# Dataforth — Proposed Target Folder Structure (DRAFT / strawman)
**By:** ACG (Howard) · **Date:** 2026-06-22 · **Status:** DRAFT — pre-client-input
**Inputs:** inferred from existing shares + folder contents in
[current-state-2026-06-10.md](./current-state-2026-06-10.md),
[acl-audit-detail-2026-06-10.md](./acl-audit-detail-2026-06-10.md), and the ENGR
exploration notes. Refine against Dataforth's access matrix (Phase 1 reply) before sign-off.
> Purpose: lay out as much of the Phase 2 target-state design as we can **from the data
> we already have** — the way Dataforth has their shares arranged today already tells us
> their departments and data domains. This maps the current sprawl onto the common
> departmental-share pattern. Nothing here is implemented; it is the proposal we hand the
> client (simplified) for confirmation.
---
## 1. What today's layout tells us (departments inferred from the data)
Their existing shares/folders are effectively **organized by department already** — just
spread across eight shares with no access control. Reading the structure backwards gives us
a strong starting department list:
| Evidence in current shares/folders | Implied department / domain |
|---|---|
| `Engineering` (B:), `e-drive` ENGR/ECO'S/FMEA/TE, `archive` (Y:), ATE/DESIGN/Project Reports | **Engineering** (+ Test Engineering sub) |
| c-drive Manufacturing / Production Control / SMT; e-drive MANUFACT | **Manufacturing / Production** |
| FMEA, ECO'S, Test Equipment, calibration/ATE | **Quality / Calibration** |
| `sales` (W:) — marketing, contacts, RMAs, shipping handoffs | **Sales & Marketing** |
| c-drive Shipping; sales shipping handoffs | **Shipping / Receiving** |
| c-drive Purchasing, **Purchase Orders** | **Purchasing** |
| `sage` (S:), e-drive **QBfiles**, invoices, financial reports | **Accounting / Finance** (restricted) |
| c-drive **Payroll** | **Payroll / HR** (restricted) |
| c-drive **OSHA 300 / OSHA Safety Training** | **HR / Safety** (restricted) |
| `itsvc`, `webshare` (datasheet automation) | **IT** (+ app/infra) |
| Person-named + "Do not use" folders across c-drive/sales | legacy → **Archive / cleanup** |
Departments we can confidently propose: **Engineering, Manufacturing/Production,
Quality/Calibration, Sales & Marketing, Shipping/Receiving, Purchasing, Accounting/Finance,
HR/Payroll, IT, Management/Exec.** (Matches the discovery-email starter list — the existing
data corroborates it.)
---
## 2. Target structure — the "north star" (consolidated departmental share)
The standard pattern: **one logical tree**, departmental subfolders, a broken-inheritance
**Restricted** branch for sensitive data, a read-mostly **Company-Wide** area, per-user
**Users** home folders, and a read-only **Archive**. Access-Based Enumeration (ABE) on so
people only see what they can open.
```
Company\ (one tree; can stay multi-drive-letter mapped — see §4)
|
+-- Departments\
| +-- Engineering\ ENGR, ECO'S, FMEA, DESIGN, Project Reports, MTBF, LABEL
| | +-- Test-Engineering\ ATE, Test Equipment, TESTLOGS, Tester Notebooks
| | +-- Custom-Products\
| +-- Manufacturing\ Production Control, SMT, MANUFACT, Scanned (mfg travelers)
| +-- Quality\ FMEA (quality copy), Calibration, Test Equipment records
| +-- Sales-Marketing\ contacts, RMAs, videos, weekly updates, marketing assets
| +-- Shipping-Receiving\ shipping handoffs, packing/labels
| +-- Purchasing\ vendor files, (Purchase Orders -> see Restricted)
| +-- IT\ tools/notes (software depot stays in ITSvc, see §5)
|
+-- Restricted\ (inheritance BROKEN; no Domain Users; per-area groups)
| +-- Accounting-Finance\ Sage data refs, invoices, financial reports, QBfiles
| +-- Payroll\ (from c-drive Payroll)
| +-- HR\ personnel, policies-confidential
| +-- OSHA\ OSHA 300, Safety Training records
| +-- Purchase-Orders\ (from c-drive — finance-sensitive)
|
+-- Company-Wide\ (all staff: Read; limited Write groups)
| +-- Forms\
| +-- Policies\ (non-confidential, published)
| +-- Templates\
| +-- Scanned-Documents\ (general intake; mfg-specific -> Manufacturing)
| +-- Documents\ (general company docs from c-drive)
|
+-- Users\ (per-user home folders; only owner + admins)
|
+-- Archive\ (read-only historical; legacy + "Do not use" landing zone)
+-- Engineering-Archive\ (current Y: archive)
+-- Former-Staff\ (person-named folders pending cleanup decision)
```
**App / infra shares stay OUT of this tree** and are handled case-by-case (§5).
---
## 3. Where each current share/folder lands (migration map)
| Today | Target location | Notes |
|---|---|---|
| Q: c-drive \ Documents | `Company-Wide\Documents` | confirm any dept-specific subfolders |
| Q: c-drive \ Manufacturing, Production Control, SMT | `Departments\Manufacturing` | |
| Q: c-drive \ Shipping | `Departments\Shipping-Receiving` | |
| Q: c-drive \ Purchasing | `Departments\Purchasing` | |
| Q: c-drive \ Scanned Documents | `Company-Wide\Scanned-Documents` | split mfg travelers to Manufacturing if needed |
| Q: c-drive \ **Payroll** | `Restricted\Payroll` | broken inheritance, HR/Payroll group only |
| Q: c-drive \ **OSHA 300 / OSHA Safety Training** | `Restricted\OSHA` | HR/Safety group only |
| Q: c-drive \ **Purchase Orders** | `Restricted\Purchase-Orders` | Purchasing + Finance only |
| Q: c-drive \ person-named / "Do not use" | `Archive\Former-Staff` | after migration-gap audit clears |
| T: e-drive \ ENGR, ECO'S, FMEA | `Departments\Engineering` | |
| T: e-drive \ Test Engineering (TE) | `Departments\Engineering\Test-Engineering` | |
| T: e-drive \ MANUFACT | `Departments\Manufacturing` | dedupe vs c-drive Manufacturing |
| T: e-drive \ **QBfiles** (QuickBooks) | `Restricted\Accounting-Finance` | get it off the open eng drive |
| S: sage (Sage ERP) | `Restricted\Accounting-Finance` (refs) | **app paths stay put — see §5 caution** |
| W: sales | `Departments\Sales-Marketing` | shipping handoffs -> Shipping-Receiving subfolder or shared |
| Y: archive (ENGR archive) | `Archive\Engineering-Archive` | read-only |
| B: Engineering (ENGR: ATE/DESIGN/etc.) | `Departments\Engineering` (+ Test-Engineering) | **largest store; AD1 C: ~90% full — destination decision needed** |
| itsvc | stays `ITSvc` (IT depot) | not in dept tree; §5 |
| X: webshare | stays `webshare` | app/automation; preserve `svc_testdatadb`; §5 |
| test | stays `test` | DOS/SMB1 — untouched, excluded |
---
## 4. Drive-letter strategy (keep habits, change permissions)
Two ways to deliver the structure above:
- **Option A — Keep current drive letters (recommended for phase 1 of rollout).** Leave
Q/S/T/W/Y/B mapped where they are; reorganize folders *within* each share and apply
department groups. Lowest disruption, no app/path breakage, no retraining. The
"Company / Departments / Restricted" tree is realized *logically* across the existing
shares rather than physically consolidated on day one.
- **Option B — Consolidate to one mapped drive** (e.g. one `Company` share, ABE on, single
letter) once apps and muscle-memory allow. Cleaner long-term, but risks hard-coded UNC
paths (DOS, Sage, datasheet pipeline, GageTrak/Epicor shortcuts) and user retraining.
**Recommendation:** ship **Option A** structure + groups first (safe, reversible), hold
**Option B** consolidation as a later optional phase after the app-path audit. Either way the
*permission model is identical* — only the physical/mapping layout differs.
---
## 5. Excluded app / infra shares (do NOT fold into the dept tree)
- `test` (AD2) — DOS test stations, SMB1 + Guest:Read. **Leave exactly as-is.**
- `webshare` (AD2) — datasheet automation. **Preserve `svc_testdatadb:Full`**; restrict
human access to IT/Engineering; do not move paths.
- `ITSvc` (AD1) — IT software depot. Keep `Domain Computers:Read` (deployment); IT-RW.
- `sage` app data (SAGE-SQL) — Sage ERP reads/writes here; **do not relocate the live data
path.** Restrict via group at the share, but keep the UNC stable for the app/SQL.
- `NETLOGON` / `SYSVOL` — never touch.
---
## 6. AD security groups this implies (naming `SG-<Resource>-<RW|RO>`)
Derived directly from the structure above — RW for the owning dept, RO where another dept
needs visibility (confirm RO grants with the client matrix):
```
SG-Engineering-RW SG-Engineering-RO
SG-Manufacturing-RW SG-Manufacturing-RO
SG-Quality-RW SG-Quality-RO
SG-Sales-RW SG-Sales-RO
SG-Shipping-RW SG-Shipping-RO
SG-Purchasing-RW SG-Purchasing-RO
SG-IT-RW
SG-Accounting-RW SG-Accounting-RO (Restricted\Accounting-Finance)
SG-Payroll-RW (Restricted\Payroll)
SG-HR-RW (Restricted\HR, OSHA)
SG-PurchaseOrders-RW SG-PurchaseOrders-RO (Purchasing + Finance)
SG-CompanyWide-RW (everyone = RO by default via Authenticated Users:Read)
```
- Users get **Modify** via the RW group (never Full); SYSTEM/Administrators keep Full.
- Restricted branch: **no `Domain Users`**, inheritance broken, only the named group.
- Management/Exec cross-access handled by adding execs to the RO groups they need (not by
re-opening shares).
---
## 7. What still needs the client (gates Phase 2 sign-off)
This draft fills in everything inferable from the existing layout. Still **must come from
Dataforth** before build:
1. **Confirm the department list** (we inferred it; they validate).
2. **The access matrix** — for each department, RW / RO / none per area (the grid in the
discovery email). Our map above assumes "owning dept RW, others none" except where noted.
3. **Sensitive-data named access** — exactly who sees Payroll, OSHA, POs, Accounting (likely
HR/Finance sign-off, not just Dan).
4. **Rosters** — who is in each department (to populate groups).
5. **Cleanup approval** — which person-named / "Do not use" folders archive vs delete.
6. **Engineering destination** — AD1 C: ~90% full; the big ENGR store needs a target volume
before any restructure/consolidation.
---
## 8. Sequencing note
This slots into **Phase 2 (Target-state design)** of [roadmap.md](./roadmap.md). It is the
strawman to (a) sanity-check internally and (b) simplify into the client sign-off doc once
the Phase 1 matrix arrives. Build order stays lowest-risk-first
(archive -> sales -> c-drive/e-drive -> Engineering -> Restricted last), additive groups
first, remove `Everyone`/`Domain Users` only after pilot validation.