azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
83133ddce387649ec8bfb07c056282e590724286
claudetools/clients/dataforth/docs/projects/shares-permissions/roadmap.md
Howard Enos 83133ddce3 sync: auto-sync from HOWARD-HOME at 2026-06-10 20:21:07 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-10 20:21:07
2026-06-10 20:21:23 -07:00

95 lines
7.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Dataforth — File Shares & Permissions Remediation: Roadmap
**Owner:** ACG (Howard) · **Client:** Dataforth (Dan Center, primary IT contact)
**Started:** 2026-06-10 · **Status:** Phase 0 complete; Phase 1 (client input) pending email
**Goal:** Move Dataforth from "every share open to every employee" to a **least-privilege, department-based access model** built on AD security groups, with sensitive data (payroll, OSHA, financials) properly restricted — without breaking the DOS/test-datasheet infrastructure or the in-flight post-ransomware file-recovery audit.
Related docs: [current-state-2026-06-10.md](./current-state-2026-06-10.md) (plain client-facing overview) · [acl-audit-detail-2026-06-10.md](./acl-audit-detail-2026-06-10.md) (internal technical baseline) · [discovery-email-draft.md](./discovery-email-draft.md) (client ask)
---
## Why now
The 2026-06-10 read-only audit confirmed: all eight business shares grant access to all staff via `Everyone` / `Domain Users`, with `Domain Users:FullControl` on four of them (archive, sales, Engineering, sage). Payroll, OSHA injury logs, purchase orders, and accounting data are readable and writable by every employee. This is both a security/insider-risk problem and a compliance gap, and it follows a 2025 ransomware incident — tightening share access materially reduces blast radius of any future credential compromise.
---
## Guiding principles (target model)
- **Department-based AD security groups**, granted on resources; users join groups. Naming: `SG-<Resource>-<RW|RO>` (e.g. `SG-Sales-RW`, `SG-Accounting-RW`, `SG-Engineering-RO`).
- **Least privilege:** users get **Modify** (not Full); only Administrators/owners get FullControl. Remove `Everyone`. Replace blanket `Domain Users` with department groups.
- **Access-Based Enumeration (ABE)** on every share so users see only what they can open.
- **Share ACL = permissive, NTFS = authoritative** (standard pattern): set share to `Authenticated Users:Full` (or the relevant groups), enforce real access at NTFS via groups.
- **Sensitive shares isolated:** Payroll/HR, OSHA, Accounting/Finance get their own restricted groups, broken inheritance, no `Domain Users`.
- **Infra/app shares excluded** from the department model and handled case-by-case: `test` (DOS/SMB1 guest — leave open), `webshare` (preserve `svc_testdatadb`), `ITSvc` (IT-RW + computers/all-RO), `NETLOGON`/`SYSVOL` (never touch).
- **Change is staged and reversible:** snapshot every ACL before change; one share at a time; pilot user validation before flipping `Everyone`/`Domain Users` off.
---
## Phases
### Phase 0 — Discovery (DONE 2026-06-10)
- [x] Read-only enumeration of shares, top-level folders, share ACLs, NTFS root ACLs on AD1/AD2/FILES-D1/SAGE-SQL.
- [x] Baseline written: `current-state-2026-06-10.md`.
- [x] Confirmed: no department groups; Domain Users has Modify/Full on all shares; sensitive data exposed.
### Phase 1 — Client input (BLOCKING — pending)
Send the discovery email to Dataforth and capture their answers. We need:
1. **Department list** confirmed/corrected (starter list in the email).
2. **Department → share access matrix** — for each share: which departments get **Read/Write**, **Read-Only**, or **No access**.
3. **Sensitive-data rules** — who exactly may access Payroll, OSHA, Purchase Orders, Accounting/Sage (named people or a small group).
4. **Department rosters** — which employees belong to which department (or an org chart / they map names to departments).
5. **Legacy cleanup decisions** — which "Do not use"/person-named/legacy folders can be archived or deleted.
6. **Special cases** — execs who see everything, individuals with cross-department needs, external/contractor access.
- [ ] Email sent (recipients to be set by ACG).
- [ ] Replies received and logged into this folder.
### Phase 2 — Target-state design (after Phase 1)
- [ ] Build the **AD security group list** (per share/department, RW + RO variants) with naming convention.
- [ ] Build the **permission matrix**: groups × shares with explicit Modify/Read/none.
- [ ] Decide **structure changes**: folder consolidation, legacy archive/delete list, whether to recreate the missing `staff` share, Engineering volume/letter cleanup.
- [ ] Decide **drive-mapping changes** (GPO) — keep current letters or map by group.
- [ ] Plan handling of the four special shares (test/webshare/ITSvc/sage-app).
- [ ] **Sign-off from Dataforth** on the matrix before any change.
### Phase 3 — Build (staged, reversible)
- [ ] Snapshot/export current ACLs for every share (`icacls /save` or `Get-Acl` export) → store in this folder.
- [ ] Create AD security groups; populate membership from the rosters.
- [ ] Per share, in a controlled order (lowest-risk first, e.g. `archive``sales``e-drive`/`c-drive``Engineering` → sensitive last):
- Break inheritance where needed, add department groups (Modify), keep SYSTEM/Administrators Full.
- Apply ABE; set share ACL to permissive.
- **Leave `Domain Users`/`Everyone` in place initially** (additive) and validate with a pilot user in each department.
- [ ] Update GPO drive mappings if the model changes letters/targets.
### Phase 4 — Cutover & validate
- [ ] Per share, once validated: **remove `Everyone` and `Domain Users`** (the enforcement step).
- [ ] Walk each department through their access; resolve "I can't get to X" tickets quickly (add to group, not re-open the share).
- [ ] Lock down the sensitive shares last, with explicit HR/Accounting confirmation.
- [ ] Archive/remove approved legacy folders (after the migration-gap audit clears them).
### Phase 5 — Document & handoff
- [ ] Update the Dataforth wiki (shares map + new group model + matrix).
- [ ] Record group→share matrix as the source of truth in this folder.
- [ ] Vault any new service accounts (none expected).
- [ ] Set a review cadence (e.g. quarterly access review with Dan/HR).
- [ ] Bill per phase against the prepaid block (live-check `GET /customers/578095`).
---
## Risks & watch-items
- **Breaking app dependencies:** DOS stations (`test`), datasheet pipeline (`webshare`/`svc_testdatadb`), Sage (`sage` app paths), GageTrak, Epicor shortcuts. Validate before removing broad access.
- **Migration-gap audit overlap:** don't delete/move data the review-only audit still needs; sequence cleanup after it clears each share.
- **AD1 C: 90% full:** no staging copies on AD1; Engineering restructure needs a destination decision.
- **Hidden hard-coded UNC paths:** scripts/apps may reference `\\server\share\...` with assumed open access — surface during pilot validation.
- **Double-hop limitation:** ACL changes run locally on each file server (as SYSTEM via RMM) — fine; cross-server file moves use the documented GPO-mapped-drive workaround.
- **Single point of contact:** confirm Dan Center is authoritative for access decisions, or who signs off on the sensitive-data rules (likely needs HR/Finance input).
---
## Open questions for ACG (internal, before/with the email)
- Confirm email recipients/sender (Dan Center primary; CC Kevin Wackerly? Mike or Howard sending?).
- Is HR/Finance input needed directly for payroll/OSHA/PO rules, or does Dan relay?
- Do we recreate the missing `staff` share in this project or keep it separate?
- Budget/timeline expectations (prepaid block — scope the build phase into billable chunks).
Reference in New Issue View Git Blame Copy Permalink