azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d0b98f769ea97f103e85d48e3fa3fa42e45f577d
claudetools/clients/cascades-tucson/docs/migration/share-access-matrix-2026-04-23.md
Howard Enos 6e2d99bd23 sync: auto-sync from HOWARD-HOME at 2026-04-23 21:12:42 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-04-23 21:12:42
2026-04-23 21:12:43 -07:00

23 KiB
Raw Blame History

Share Access Review — Cascades of Tucson

Prepared: 2026-04-23 (Howard) · For review by: John Trozzi / Meredith Kuhn

What you're looking at: every current employee, their department + position, and which shared folders they should have access to on the new CS-SERVER setup. Please read through and confirm each person is (a) in the right department/position, and (b) has the right folder access. Flag anything wrong.

No changes have been made yet. This is the review draft. Once you sign off, we apply it to AD and the share permissions on CS-SERVER.

Reading the list

  • Access: X, Y, Z means read + write on those folders.
  • Read-only: X means they can open files but not save/delete.
  • Everyone gets the Public share (company-wide scratch space) and their own personal home folder. Those aren't repeated per person below.
  • IT, Culinary, Sandra Fish Archive, Clinical (pacs), and Life Enrichment (Activities) are special-access — only the people listed get in.
  • The old chat folder is being retired — company chat is moving to Teams.

Folders at a glance

Folder What's in it
Management Office/admin docs, budgets, HR-adjacent files
Sales Sales and move-in coordination docs (resident intake)
ALdocs Assisted Living documentation (clinical/operational) — new share, CS-SERVER only
WebDocs Web / marketing / sales-collateral docs — new share, CS-SERVER only (distinct from retired DSM web share)
Server IT/vendor docs, server config, maintenance records
Directory Resident directory (phone, room, emergency contact) — most staff need read
Receptionist Dump folder for scans from the copy room — Tower front desk only. Front-desk staff pull the scans from here, process them, and delete as they go. Drive is mapped by machine + user via GPO / logon script: it appears only on Tower reception PC(s) and only for users who are in the Tower reception role group. MC receptionist PC does not get this mapped.
Culinary Menus, kitchen ordering, dining room operations
Life Enrichment Activity calendars, program docs — new share, CS-SERVER only. LE machines currently have no mapped drives, so this will be the first file-share those stations connect to.
Clinical (PHI) Medical imaging / clinical records. Howard verified 2026-04-23: the Synology pacs folder is empty — no data to migrate. Question is whether clinical staff need a shared clinical folder on CS-SERVER at all, or if ALIS covers everything. Pending Meredith.
IT Systems admin docs — IT only
Sandra Fish Archive Former director's personal folder — Meredith only
Home Each person's own personal folder (folder redirection)
Public Company-wide scratch space — everyone

Administrative

Meredith Kuhn — Executive Director

Access: Management, Sales, ALdocs, WebDocs, Server, Directory, Receptionist, Life Enrichment, Clinical, Sandra Fish Archive (sole custodian) Read-only: Culinary

Ashley Jensen — Assistant Executive Director

Access: Management, Sales, ALdocs, WebDocs, Server, Directory, Receptionist, Life Enrichment, Clinical Read-only: Culinary Note: Same level as Meredith per Howard 2026-04-23.

Lauren Hasselman — Business Office Director

Access: Management, Sales, Server, Directory Read-only: Receptionist

Allison Reibschied — Accounting Assistant

Access: Management, Directory

Marketing / Sales

Megan Hiatt — Sales Director

Access: Management, Sales, ALdocs, WebDocs, Directory

Crystal Rodriguez — Sales Associate

Access: Management, Sales, ALdocs, WebDocs, Directory Note: Crystal Suszek is Crystal Rodriguez's former name (confirmed 2026-04-23). Consolidate to the single Crystal.Rodriguez AD account at cutover; disable the old Synology Crystal Suszek account.

Tamra Matthews — Move-In Coordinator

Access: Management, Sales, ALdocs, WebDocs, Directory Note: Leaving June 2026 — access ends on her departure. Action before cutover: Tamra has a Sales Dept folder in the root of her user profile on her PC that does not appear to be syncing to the server. Back it up and migrate its contents into \\CS-SERVER\SalesDept (or the new CS-SERVER Sales share path) before her departure.

Care, Assisted Living (Nursing / Clinical)

Lois Lane — Health Services Director

Access: ALdocs, Directory, Clinical (PHI) Read-only: Management Note: ALdocs is the main nursing share. She and Karen are the only nurses granted RW per Howard 2026-04-23 ("only nurses will need access to the ALdocs"). Anomaly: Currently has no share access on Synology — proposed scope is based on her director role. Confirm she actually wants file access vs. working only through ALIS.

Karen Rossini — Health Services Manager

Access: ALdocs, Directory, Clinical (PHI) Note: Same nursing-access pattern as Lois. Anomaly: Currently only has home-folder access on Synology — likely underprovisioned.

Veronica Feller — Care, Assisted Living Aide

Access: Management, Sales, Server, Directory, Life Enrichment, Clinical Note (Howard 2026-04-23): Keep the permissions she currently has on Synology, but not at admin level — she's a regular RW user, not a share administrator. Scope above matches her current Synology RW list (minus the retiring chat share, minus Sandra Fish which is Meredith-only, minus Culinary which is now restricted to kitchen staff only).

Care, Memory Care

Shelby Trozzi — Memory Care Director

Access: Management, Server, Directory, Receptionist, Clinical (PHI) Read-only: Sales, Life Enrichment Note: Currently has admin-full (ownership-class) access to 5 shares on Synology. Per Howard's direction she does not need that level — proposed scope above is what a MC Director actually uses day-to-day.

Christine Nyanzunda — Memory Care Admin Assistant (also PT MedTech)

Access: Directory, Receptionist, Clinical (PHI) Read-only: Management

Resident Services

Christina DuPras — Resident Services Director

Access: Management, Server, Directory, Receptionist Read-only: Life Enrichment

Cathy Kingston — Receptionist (Tower front desk, shared PC)

Access: Directory, Receptionist

Shontiel Nunn — Receptionist (Tower front desk, shared PC)

Access: Directory, Receptionist

Kyla Quick Tiffany — Receptionist (Tower front desk, shared PC)

Access: Directory, Receptionist Note: AD account not yet created (Wave 1 of user rollout). Spelling confirmed per Kyla as Kyla.QuickTiffany.

Michelle Shestko — MC Receptionist (MC front desk, shared PC)

Access: Directory Note: MC front desk does NOT get the Receptionist scan-drop share — that's Tower-front-desk-only per Howard 2026-04-23.

Sebastian Leon — Courtesy Patrol

Access: Directory, Receptionist

Sheldon Gardfrey — Courtesy Patrol

Access: Directory, Receptionist

Ray Rai — Courtesy Patrol

Access: Directory, Receptionist

Life Enrichment

Susan Hicks — Life Enrichment Director

Access: Directory, Life Enrichment Read-only: Management Note: Life Enrichment workstations currently have no mapped drives at all. The new LifeEnrichment share will be the first file share those PCs connect to — needs a one-time map at setup.

Sharon Edwards — Life Enrichment Assistant

Access: Directory, Life Enrichment Note: Same LE-new-mapping note as Susan.

Alma R Montt — MC Life Enrichment

Access: Directory, Life Enrichment Note: AD account not yet created (Wave 1 of user rollout). LE-machine drive mapping applies once her account + PC are set up.

Culinary

JD Martin — Culinary Director

Access: Culinary Note: Kitchen staff only need the Culinary share — no Directory, no other shares (Howard 2026-04-23).

Ramon Castaneda — Kitchen Manager

Access: Culinary

Alyssa Brooks — Dining Manager

Access: Culinary

Maintenance

John Trozzi — Facilities Director

Access: Server, Directory Read-only: Management, Culinary Anomaly: Currently has no share access on Synology. Proposed scope gives him Server for vendor/maintenance records. John — confirm you want Server, or just Directory? Culinary read-only is by design (he's on the approved Culinary read list alongside Meredith and Ashley — only kitchen staff write there).

Matt Brooks — MC Receptionist (also works Maintenance)

Access: Directory Read-only: Server Note: HR has him in Maintenance; CSV says MC Receptionist. Works both departments — confirm primary dept assignment. Does NOT get the Receptionist scan-drop share (that's Tower-front-desk-only, and he covers the MC desk, not Tower).

Housekeeping

Lupe Sanchez — Housekeeping Director

Access: Directory Anomaly: Currently has no share access on Synology. Confirm this minimal scope is right, or does she need Management read for budgets/supplier docs?

Transportation — no IT access

Per 2026-04-22 decision, drivers' AD accounts are being disabled. No share access going forward.

  • Richard Adams — Driver
  • Julian Crim — Driver
  • Christopher Holick — Driver

Caregivers (shift staff) — no on-prem shares

All 37 caregivers access clinical data exclusively through ALIS. No SMB/file-share access of any kind — no Directory, no Clinical, nothing. Confirmed 2026-04-23.

Names (from CSV): Thelma Abainza, Niel Castro, Espe Esperance, Barbara Johnson, Kasey Flores, Richard Flores, Marie Kastner, Bella Mendoza, Rosa Morales, Sandra Padilla, Whisper Reed, Patricia Sandoval-Beck, Charity Sika, Ederick Yuzon, Juan Andrade, Jahmeka Clarke, Karina Aziakpo, Jinnelle Dittbenner, Agnes McFerren, Samuel Ramirez, Erica Sanchez, Katrina Wyzykowski, Corey Tate, Ashli Atwood, Cole Johnson, Roseline Cooper, Monique Lopez, Gloria Williford, Sarah Carroll, Luke Hogan, Gina Williams, Jen Higdon, Mary Kariuki, CeCe Lassey, Paty Doran, Ezekiel Huerta, Maia Baker.

Agency placeholders ("Reliable Agency 1/2") are not being created as accounts — per-person names required before PHI access, per HIPAA review 2026-04-22.

Accounts to remove at cutover (not current employees)

These names show up on Synology but are not in John's current employee list. They'll be disabled when we retire the Synology file-share role:

  • Amber M Lee, Ann Dery, Anna Pitzlin, Britney Thompson, Haris Durut, Monica RamirezRossette, Nela Durut-Azizi, Stephanie Devin — all former employees.
  • Tamra Johnson (old alias — now Tamra Matthews)
  • CasAdmin201 — prior-MSP admin account. Confirm with Meredith before deletion.
  • Role accountsAccounting, Dining Manager, Front Desk, mcnurse, memcarenurse, Memcare Receptionist, Nurse Tower. These are shared logins that violate HIPAA unique-user-identification requirement. Replaced by the named-person accounts above.

Decisions already settled

  • Sandra Fish Archive — archived to CS-SERVER\Archive\Former-Director-Sandra-Fish\, Meredith is the sole custodian (settled 2026-04-23).
  • Drivers lose IT access — Richard Adams / Julian Crim / Christopher Holick AD accounts disabled (settled 2026-04-22).
  • Agency caregivers — no shared logins; per-person accounts only when Reliable supplies names (settled 2026-04-22 per HIPAA review).
  • chat share retired — Teams replaces it company-wide (settled 2026-04-23). No migration needed.
  • Culinary access limited — only kitchen staff (JD, Ramon, Alyssa) get write access. Meredith, John Trozzi, and Ashley get read-only. Nobody else has access (settled 2026-04-23).
  • Culinary folder path — Culinary lives at D:\Shares\Culinary on CS-SERVER (local to the server, not synced with Synology). Kitchen team doesn't need the data anywhere else, so no two-way sync (settled 2026-04-23).
  • Veronica Feller — keeps her current Synology RW scope (Management, Sales, Server, Life Enrichment, Clinical) + Directory, but NOT at admin level. Settled 2026-04-23.
  • Caregivers — zero on-prem share access — all clinical work through ALIS. No Directory, no Clinical, no read access to the resident contact list from phones, no exceptions (settled 2026-04-23).
  • Crystal Suszek → Crystal Rodriguez — same person, former name. Single AD account Crystal.Rodriguez; old Synology Crystal Suszek account disabled at cutover (settled 2026-04-23).
  • CasAdmin201 — will NOT become a domain user on cs-server/CS-SERVER. Disabled on Synology at cutover (settled 2026-04-23).
  • New CS-SERVER shares to create (settled 2026-04-23):
    • LifeEnrichment — CS-SERVER local, RW for Susan/Sharon/Alma only. LE workstations currently have no mapped drives — this will be their first.
    • ALdocs — Assisted Living documentation, CS-SERVER local, RW for nurses (Lois, Karen) + Meredith + Ashley + Sales team (Megan, Crystal, Tamra).
    • WebDocs — web/marketing collateral, CS-SERVER local, RW for Sales team + Meredith + Ashley. Distinct from the retired Synology web DSM share.
  • Sales team share set (settled 2026-04-23) — Megan, Crystal, Tamra all get RW on: ALdocs, WebDocs, SalesDept, Management, Directory.
  • Tamra's local Sales Dept folder — she has a Sales Dept folder in the root of her user profile that's NOT syncing to the server. Action before her June 2026 departure: back it up and move contents into \\CS-SERVER\SalesDept. Tracked as action item below.
  • Kitchen staff scope (settled 2026-04-23) — JD, Ramon, Alyssa only get RW on Culinary. No Directory, no other shares. They don't need them.
  • Sales team Receptionist access (settled 2026-04-23) — removed. Megan, Crystal, Tamra don't need the Receptionist scan-drop share.
  • Receptionist share scoping (settled 2026-04-23) — the Receptionist share is a dump folder for scans from the copy room. Tower front desk only — not MC receptionist, not Sales, not sales-supporting roles. It is mapped by machine + user via GPO or logon script: drive appears only on Tower reception PC(s) for users in the Tower receptionist role group. Michelle (MC receptionist) and Matt Brooks (MC receptionist coverage) do NOT get this mapped. Courtesy Patrol (Sebastian, Sheldon, Ray) cover Tower reception after hours, so they keep access. Christina DuPras keeps access for RS Director oversight. Meredith + Ashley keep access for executive oversight.

Decisions still needed from John / Meredith

Tick each when answered:

  • Lois Lane — grant the director-level access proposed (Directory + Clinical + Mgmt read), or leave her at ALIS-only?
  • Karen Rossini — grant Clinical + Directory, or less?
  • Susan Hicks — grant LE Director scope as proposed?
  • John Trozzi — want Server access for vendor/maintenance docs, or just Directory + Culinary?
  • Lupe Sanchez — minimal scope (Directory only) OK, or does she need Management read?
  • Shelby Trozzi — OK with the narrower scope (no admin-full), keeping her as MC Director?
  • Matt Brooks — primary department: Maintenance or Resident Services (MC Receptionist)?
  • Christine Nyanzunda — Management as read-only OK, or does she need write?
  • Activities folder — confirm contents are Life Enrichment only (so we create CS-SERVER LifeEnrichment share with just LE team RW)
  • pacs folder — Howard verified 2026-04-23 it's empty on Synology. Do we create a Clinical shared folder on CS-SERVER at all? If clinical staff use ALIS for everything, retire the concept entirely (and strip Clinical from everyone's access lines above). If there's a future need, we create an empty Clinical-PHI share with the access list already proposed.
  • web folder — confirm we can retire entirely (DSM web station, not a business share)

Pre-cutover action items

  • Tamra Matthews — back up Sales Dept folder in root of her user profile; migrate into \\CS-SERVER\SalesDept. Must complete before her June 2026 departure. Verify it really isn't syncing (check the Synology Drive Client on her PC).
  • Create three new shares on CS-SERVERLifeEnrichment, ALdocs, WebDocs at D:\Shares\<name>. Populate NTFS per this doc.
  • Map the new shares — LE workstations are net-new mappings (no drives today). Script the drive maps via GPO or logon script once per-user interviews close.
  • Receptionist share — machine+user GPO/logon-script mapping — drive letter (likely S:) should only map when the machine is a Tower reception PC (currently RECEPTIONIST-PC, and any future Tower-desk stations) AND the user is in a Tower receptionist role group. MC receptionist PC and Sales workstations must NOT get the drive auto-mapped even if the user also logs in elsewhere.

Transition from Synology Drive Client to SMB mapped drives

Current state. The Synology NAS (cascadesDS) two-way syncs its shares to CS-SERVER at D:\Shares\Main\ via a Synology Drive Client running on CS-SERVER. That sync stays in place until Phase 4 cutover. Separately, some user workstations also have Synology Drive Client installed locally, pulling a cached copy of the shares to each PC — that's how those users access Management / SalesDept / Server / Public today.

Goal. Replace each user's local Synology Drive Client with a standard SMB mapped drive (e.g. \\CS-SERVER\Management, backed by D:\Shares\Main\Management). Because CS-SERVER's copy is kept current by the NAS-side sync, users see the same files via the mapped drive as they did via Synology Drive Client — no data move, just a different access path.

Prerequisite. NTFS permissions on each D:\Shares\Main\<share> folder must match this access matrix before drives are mapped on a user's PC. Otherwise users will see the folder but hit access-denied on files.

Rollout per user:

  1. Create / populate that user's SG-*-RW group memberships per this matrix.
  2. Map their drives via GPO Preferences (or logon script) based on those group memberships.
  3. Have the user sign in, open each mapped drive, confirm read-and-write works where expected.
  4. Uninstall Synology Drive Client from the PC. Delete the local cached folder once confirmed empty of unsynced changes.
  5. Log the change in the session log for that day.

At Phase 4 cutover the sync direction breaks: CS-SERVER becomes authoritative, the Synology moves to read-only, then to a backup target. Mapped drives already point at CS-SERVER so no user-side change is needed at cutover.

Do not retarget the CS-SERVER Synology Drive Client sync path. It stays at D:\Shares\Main\ for the duration. An earlier version of this doc proposed moving it to D:\Shares\Synology\ — that plan is scrapped because it would break the current user-side Synology Drive Client sync for the users still on it.

Next step — per-user interviews

Howard is walking the proposal around the building 2026-04-23 onward, asking each staff member which folders they actually use. Anything a user doesn't touch in their normal workflow gets set to not active for that person — the doc's current access list is the starting point, not the final word. Once interviews are done:

  1. Update this doc with the approved values
  2. Populate the SG-*-RW AD groups accordingly (one-shot script, no service interruption)
  3. Run scripts/phase2-file-shares.ps1 to create/update shares on CS-SERVER with the new NTFS permissions
  4. Spot-check from one PC per department to verify effective access matches the plan
  5. Leave the Synology in two-way sync during the overlap period; Phase 4 cutover retires Synology as primary once stable

Implementation detail — folder paths on CS-SERVER

For Howard's reference during setup. Reviewers can skip this section.

Two path conventions on CS-SERVER's D: drive:

  • D:\Shares\Main\<name>\ — two-way synced with cascadesDS via Synology Drive Client running on CS-SERVER. Use this for any share that needs to exist on both the Synology NAS and CS-SERVER during the Phase 4 overlap window: Management, SalesDept, Server, Public, and any others Meredith wants kept in sync. This is the existing sync target — do not retarget.
  • D:\Shares\<name>\ — CS-SERVER-local only, no Synology sync. Use this for shares that don't exist on Synology today or don't need a Synology copy: Culinary, IT, Receptionist, directoryshare, LifeEnrichment, ALdocs, WebDocs.
  • D:\Homes\<username>\ — per-user folder-redirection share. Exposed as \\CS-SERVER\homes. Not under either shares tree; not Synology-synced.

SMB share names stay flat (\\CS-SERVER\Management, \\CS-SERVER\Culinary) — users never see the path difference. Only the NTFS path under the hood changes.

Shares to create/update on CS-SERVER at this path convention:

SMB share CS-SERVER path Synced with Synology?
Management D:\Shares\Main\Management yes
SalesDept D:\Shares\Main\SalesDept yes
Server D:\Shares\Main\Server yes
Public D:\Shares\Main\Public yes
homes D:\Homes no (local, folder-redirection target)
LifeEnrichment D:\Shares\LifeEnrichment no (CS-SERVER local, new)
ALdocs D:\Shares\ALdocs no (CS-SERVER local, new)
WebDocs D:\Shares\WebDocs no (CS-SERVER local, new)
Clinical-PHI (from pacs) D:\Shares\Clinical-PHI (if created) Pending A12. Synology pacs is empty — if Meredith wants a clinical shared folder going forward, create empty on CS-SERVER (local, not synced). If not, retire and strip Clinical from access lines.
Culinary D:\Shares\Culinary no (local to CS-SERVER)
Receptionist D:\Shares\Receptionist no
directoryshare D:\Shares\directoryshare no
IT D:\Shares\IT no
Sandra Fish Archive D:\Shares\Archive\Former-Director-Sandra-Fish no — Meredith-only, archived

The existing Synology Drive Client sync target on CS-SERVER is D:\Shares\Main\ (per docs/servers/cs-server.md). It stays there for the duration of the Phase 4 overlap. An earlier draft of this doc proposed retargeting to D:\Shares\Synology\ — that plan is scrapped; users currently rely on D:\Shares\Main\ and a retarget would break their sync.

scripts/phase2-file-shares.ps1 will need its $DestRoot + per-share Path values updated to match (D:\Shares\Main\<name> for synced shares, D:\Shares\<name> for local-only).

Source data

  • Synology permissions as of 2026-04-22 — docs/migration/synology-permission-inventory.md
  • Current AD users + titles — docs/servers/active-directory.md
  • Employee roster from John/Meredith (2026-04-22) — reports/cascades-staff-2026-04-22.csv
  • User rollout plan — docs/cloud/user-account-rollout-plan.md

Howard's input 2026-04-23: Ashley → Meredith tier · Veronica → Meredith tier (flagged as strong anomaly for Meredith's sign-off) · Shelby → narrowed from Synology admin-full to MC Director scope · Stephanie Devin removed (not in employee list) · Sandra Fish → Meredith sole custodian.

Reference in New Issue View Git Blame Copy Permalink