azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
83133ddce387649ec8bfb07c056282e590724286
claudetools/clients/dataforth/docs/projects/shares-permissions/roadmap.md
Howard Enos 83133ddce3 sync: auto-sync from HOWARD-HOME at 2026-06-10 20:21:07 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-10 20:21:07
2026-06-10 20:21:23 -07:00

7.3 KiB
Raw Blame History

Dataforth — File Shares & Permissions Remediation: Roadmap

Owner: ACG (Howard) · Client: Dataforth (Dan Center, primary IT contact) Started: 2026-06-10 · Status: Phase 0 complete; Phase 1 (client input) pending email Goal: Move Dataforth from "every share open to every employee" to a least-privilege, department-based access model built on AD security groups, with sensitive data (payroll, OSHA, financials) properly restricted — without breaking the DOS/test-datasheet infrastructure or the in-flight post-ransomware file-recovery audit.

Related docs: current-state-2026-06-10.md (plain client-facing overview) · acl-audit-detail-2026-06-10.md (internal technical baseline) · discovery-email-draft.md (client ask)

Why now

The 2026-06-10 read-only audit confirmed: all eight business shares grant access to all staff via Everyone / Domain Users, with Domain Users:FullControl on four of them (archive, sales, Engineering, sage). Payroll, OSHA injury logs, purchase orders, and accounting data are readable and writable by every employee. This is both a security/insider-risk problem and a compliance gap, and it follows a 2025 ransomware incident — tightening share access materially reduces blast radius of any future credential compromise.

Guiding principles (target model)

  • Department-based AD security groups, granted on resources; users join groups. Naming: SG-<Resource>-<RW|RO> (e.g. SG-Sales-RW, SG-Accounting-RW, SG-Engineering-RO).
  • Least privilege: users get Modify (not Full); only Administrators/owners get FullControl. Remove Everyone. Replace blanket Domain Users with department groups.
  • Access-Based Enumeration (ABE) on every share so users see only what they can open.
  • Share ACL = permissive, NTFS = authoritative (standard pattern): set share to Authenticated Users:Full (or the relevant groups), enforce real access at NTFS via groups.
  • Sensitive shares isolated: Payroll/HR, OSHA, Accounting/Finance get their own restricted groups, broken inheritance, no Domain Users.
  • Infra/app shares excluded from the department model and handled case-by-case: test (DOS/SMB1 guest — leave open), webshare (preserve svc_testdatadb), ITSvc (IT-RW + computers/all-RO), NETLOGON/SYSVOL (never touch).
  • Change is staged and reversible: snapshot every ACL before change; one share at a time; pilot user validation before flipping Everyone/Domain Users off.

Phases

Phase 0 — Discovery (DONE 2026-06-10)

  • Read-only enumeration of shares, top-level folders, share ACLs, NTFS root ACLs on AD1/AD2/FILES-D1/SAGE-SQL.
  • Baseline written: current-state-2026-06-10.md.
  • Confirmed: no department groups; Domain Users has Modify/Full on all shares; sensitive data exposed.

Phase 1 — Client input (BLOCKING — pending)

Send the discovery email to Dataforth and capture their answers. We need:

  1. Department list confirmed/corrected (starter list in the email).
  2. Department → share access matrix — for each share: which departments get Read/Write, Read-Only, or No access.
  3. Sensitive-data rules — who exactly may access Payroll, OSHA, Purchase Orders, Accounting/Sage (named people or a small group).
  4. Department rosters — which employees belong to which department (or an org chart / they map names to departments).
  5. Legacy cleanup decisions — which "Do not use"/person-named/legacy folders can be archived or deleted.
  6. Special cases — execs who see everything, individuals with cross-department needs, external/contractor access.
  • Email sent (recipients to be set by ACG).
  • Replies received and logged into this folder.

Phase 2 — Target-state design (after Phase 1)

  • Build the AD security group list (per share/department, RW + RO variants) with naming convention.
  • Build the permission matrix: groups × shares with explicit Modify/Read/none.
  • Decide structure changes: folder consolidation, legacy archive/delete list, whether to recreate the missing staff share, Engineering volume/letter cleanup.
  • Decide drive-mapping changes (GPO) — keep current letters or map by group.
  • Plan handling of the four special shares (test/webshare/ITSvc/sage-app).
  • Sign-off from Dataforth on the matrix before any change.

Phase 3 — Build (staged, reversible)

  • Snapshot/export current ACLs for every share (icacls /save or Get-Acl export) → store in this folder.
  • Create AD security groups; populate membership from the rosters.
  • Per share, in a controlled order (lowest-risk first, e.g. archivesalese-drive/c-driveEngineering → sensitive last):
    • Break inheritance where needed, add department groups (Modify), keep SYSTEM/Administrators Full.
    • Apply ABE; set share ACL to permissive.
    • Leave Domain Users/Everyone in place initially (additive) and validate with a pilot user in each department.
  • Update GPO drive mappings if the model changes letters/targets.

Phase 4 — Cutover & validate

  • Per share, once validated: remove Everyone and Domain Users (the enforcement step).
  • Walk each department through their access; resolve "I can't get to X" tickets quickly (add to group, not re-open the share).
  • Lock down the sensitive shares last, with explicit HR/Accounting confirmation.
  • Archive/remove approved legacy folders (after the migration-gap audit clears them).

Phase 5 — Document & handoff

  • Update the Dataforth wiki (shares map + new group model + matrix).
  • Record group→share matrix as the source of truth in this folder.
  • Vault any new service accounts (none expected).
  • Set a review cadence (e.g. quarterly access review with Dan/HR).
  • Bill per phase against the prepaid block (live-check GET /customers/578095).

Risks & watch-items

  • Breaking app dependencies: DOS stations (test), datasheet pipeline (webshare/svc_testdatadb), Sage (sage app paths), GageTrak, Epicor shortcuts. Validate before removing broad access.
  • Migration-gap audit overlap: don't delete/move data the review-only audit still needs; sequence cleanup after it clears each share.
  • AD1 C: 90% full: no staging copies on AD1; Engineering restructure needs a destination decision.
  • Hidden hard-coded UNC paths: scripts/apps may reference \\server\share\... with assumed open access — surface during pilot validation.
  • Double-hop limitation: ACL changes run locally on each file server (as SYSTEM via RMM) — fine; cross-server file moves use the documented GPO-mapped-drive workaround.
  • Single point of contact: confirm Dan Center is authoritative for access decisions, or who signs off on the sensitive-data rules (likely needs HR/Finance input).

Open questions for ACG (internal, before/with the email)

  • Confirm email recipients/sender (Dan Center primary; CC Kevin Wackerly? Mike or Howard sending?).
  • Is HR/Finance input needed directly for payroll/OSHA/PO rules, or does Dan relay?
  • Do we recreate the missing staff share in this project or keep it separate?
  • Budget/timeline expectations (prepaid block — scope the build phase into billable chunks).
Reference in New Issue View Git Blame Copy Permalink