u/unumri

Posting from Australia (country of citizenship) because I'm trying to map out the IEC to PR transition properly before my permit gets close to expiry. From what I've read, the IEC permit itself generally isn't extendable, so if you want to keep working legally, while a PR application is in progress you basically need to switch to something else before the IEC runs out. The two main options I keep seeing are a Bridging Open Work Permit or an employer-sponsored work permit (LMIA-based or exempt depending on the situation). Worth flagging though: the BOWP isn't just available because you've submitted a PR application. From what I understand, you need an Acknowledgment of Receipt for an eligible PR class, and you need to apply for the BOWP before your IEC actually expires. So it's not a guaranteed fallback, it depends on which PR stream you're in and whether the timing lines up. The part that trips me up is the maintained status piece. My understanding is that if you apply for a new permit before your IEC expires, you get implied status and can keep working under the same conditions while it's processed. But if you let it lapse or drop to visitor status, you can stay in Canada but you can't work anymore. So the timing really matters, and starting the PR process with enough runway before expiry seems critical, especially with IRCC processing times being what they are in 2026. Has anyone here actually gone through this transition recently? Specifically curious whether people went the BOWP route or the employer-sponsored permit route, and whether there were any surprises with processing times that nearly caught you out.

Just started looking into SGIP properly after getting quotes for a solar + battery setup in CA. From what I can tell it's primarily a battery incentive program, though it's more segmented than I initially realized - there are different budget, categories and the one most relevant to general residential installs right now seems to be the Residential Solar and Storage Equity path, which is income-qualified. Worth flagging that budget windows open and close and some are already waitlisted, so the availability picture can shift fast - definitely worth, checking the current CPUC SGIP handbook and your IOU's program page directly rather than relying on anything you read a few months ago. The eligibility requirements caught me off guard a bit. I'd seen references to specific cycling or discharge requirements but the more I dig in the more it seems like those details vary by, budget category and program vintage, so I'm not treating any single number I've read as gospel until I've confirmed it against the current handbook. On the monitoring side - from what I've seen the installer typically handles the SGIP paperwork, but there's a, separate compliance and metering layer that the program may require on top of whatever the hardware vendor provides natively. So the Enphase or Tesla or SolarEdge app gives you your system view, but that's not necessarily the same as what SGIP needs for reporting purposes. Which brings me to the actual question I'm trying to work through: under NEM 3.0 the economics have shifted pretty hard, toward self-consumption and TOU rate arbitrage rather than export, so monitoring and scheduling decisions matter a lot more than they used to. Has anyone found the native manufacturer apps actually useful for making real day-to-day decisions around, TOU scheduling and battery reserve thresholds, or do you end up layering something else on top? And has anyone run into issues with utility tariff changes after going through SGIP - I've seen mentions, of being moved onto different billing plans that can affect the overall economics in ways that weren't obvious upfront.

Been thinking about this a lot lately. Most of the guidance out there says start with identity hardening, then device posture, then app access, then segmentation, then telemetry and automation. Phased rollout rather than trying to rearchitect everything at once. That approach has generally made sense in my experience, but I'm curious how others have actually sequenced it in practice, especially when you've got a mix of on-prem AD, Entra ID, and cloud workloads all in play at the same time. One thing I keep coming back to is the debate around network-centric ZTNA vs identity/workload-centric access. Granting "trusted network" access feels too broad even with segmentation in place. App-level access with identity-bound sessions and device compliance checks seems tighter, but it creates friction and sometimes the tooling doesn't play nicely across the hybrid boundary. Also seen plenty of orgs that ticked the MFA box and called it zero trust, which. yeah nah, that's not it. Without continuous posture checking and meaningful segmentation it's just stronger IAM, not an actual architecture. The lateral movement problem doesn't go away because you hardened the front door. Also worth calling out the visibility piece before almost anything else. You can't enforce policy on users, devices, or workloads you haven't inventoried. A lot of implementations I've seen skip that step and end up with coverage gaps that are genuinely, hard to find later, especially across the hybrid boundary where AD-joined and Entra-joined devices are being treated inconsistently. The privileged account piece is where I see the most resistance in practice. Getting the business to actually enforce least privilege on admin accounts, not just document it, is a different conversation than deploying Conditional Access policies. Curious what controls others have found most impactful early in the process, and whether anyone's, had real success building that business case for enforcing least privilege where it actually hurts.

Been thinking about this a lot lately. Most orgs I see are buying ZTNA or SASE products and calling it done, but the underlying trust boundaries haven't changed at all. Standing privilege still everywhere, conditional access policies covering maybe half the apps, and nobody's touched service account sprawl in years. The tooling is there but the architecture work just doesn't happen. My take after working through a few of these rollouts is that identity has to come first, but people underestimate how much of that means non-human identities too. Service-to-service traffic is a massive blind spot. You can get MFA coverage into the 90s for users and still have hundreds of service accounts with broad permissions and no monitoring. Microsegmentation matters, but if you haven't sorted out workload identities first you're just building walls with open gates. Phishing-resistant auth for admins is also something I'd push earlier than most orgs do. Passwordless for high-risk accounts is pretty achievable now with Entra ID and it removes a whole class of risk that conditional access alone doesn't cover. CI/CD pipelines and other non-human identities are often sitting on permissions broader than anything you'd grant a human user, and they're getting almost no scrutiny. The other thing I'd push back on is the idea of full zero trust as an end state. Incremental rollout by asset criticality is just how this actually works in practice. Start with your crown jewels, enforce compliant device access, kill standing privilege for admins, then expand from there. Trying to boil the ocean gets you nowhere. Curious what others have found most impactful early on, specifically whether you went identity-first or tackled network segmentation before sorting out the identity layer.