Employees
Source of truth: Google Workspace · classification & local fields editable here
| Name | Kind | Role | Department | Phone | State | Access | Updated |
|---|
Orders
Work items raised from Zammad tickets · approve to apply
| # | Kind | Target | Requester | Status | Zammad ticket | Created |
|---|
Equipment
Devices from Kaseya RMM · multi-use is allowed for kiosks & shared stations
| Hostname | Asset tag | Kind | Model / OS | Serial | Assigned to | Last seen | Last user (Kaseya) |
|---|
Google Workspace
Mailbox-level view from the Admin SDK + Gmail API · status, forwarding, delegation, groups
| Status | 2-Step | Last login | Storage | Forwards | Delegates | Groups |
|---|
Windows file shares
Inventoried daily from the on-prem file server · access via direct ACE or AD group membership
| UNC path | Description | Members | Direct ACEs | Last inventoried |
|---|
Audit log
Append-only, mirrored to ElasticSearch
| Time | Action | Employee | Actor | Detail |
|---|
GSuite sync
Pulls the canonical user list and applies lifecycle changes
| Started | Duration | Users | Changes | Failures |
|---|
Role matrix
Which services each role gets — least privilege per spec §5
| Role | Drive | Okta | Azure AD | QuickBooks | VPN |
|---|
Metrics
From spec §4 — sourced from audit + service logs
Integrations
Credentials & connection settings for every system ELM talks to. Secrets are write-only — once saved they're never returned to the browser.