Setting Access Control for Your Print System

Your print system is designed to take full advantage of eDirectoryTM. You receive all the benefits of eDirectory security and ease of management provided by the industry's most advanced and robust directory service. The Access Control feature lets you specify the access that each User, Group, or Container object will have to your printing resources.

Access control roles are mutually exclusive, even though the same individual might need to perform tasks reserved for different roles. For example, only printer managers can add or delete printer operators or printer Users. In a similar way, managers and operators must also be designated as users for a printer before they can submit print jobs to it.

In actual implementation, the defaults prevent most problems that might occur from these distinctions. For example, a manager is automatically designated an operator and user as well, while an operator of a printer is automatically designated a user of that printer also. You cannot remove the user role from an operator, and you cannot remove the operator and user roles from a manager.

The creator of an object is automatically granted privileges for all available roles for the type of object being created.

The following sections illustrate some of the security issues and features you might find useful as you plan your print system setup:


Setting Access Control for Printers

Printer security is ensured through the assignment of the manager, operator, and user access control roles and by the strategic placement of your printers and printer configurations.

You can assign multiple Printer objects to represent a single Printer Agent. You can then make different access control assignments to each Printer object. This can be an especially useful option if you want to allow users in different containers to use the same printer, because each group of users can be given different rights to the printer.

The following sections discuss security options for printers in more detail:


Printer Access Control Roles

Different User, Group, or container objects can have different access rights to the same printer. For example, if you want only certain users to be able to send jobs to a particular printer, you can specify which users should have access and what access roles each will have.

The following table describes the rights and privileges associated with each of the printer access control roles.

Role Description

Manager

Tasks performed exclusively by the Manager are those that require the creation, modification, or deletion of objects, as well as other eDirectory administrative functions. Managers are automatically designated as Operators and Users as well, so they can perform all tasks assigned to those operator roles. Typical manager functions include the following:

  • Modifying and deleting Printer objects
  • Adding or deleting operators and users for a printer
  • Adding other managers
  • Configuring interested-party notification
  • Creating, modifying, or deleting printer configurations

Operator

Printer management tasks performed by the operator include the following:

  • Performing all of the functions available through the Printer Control page
  • Pausing, restarting, or reinitializing printers
  • Reordering, moving, copying, and deleting jobs
  • Setting printer defaults, including locked properties

Operators cannot create, modify, or delete eDirectory objects or perform other eDirectory administrative functions.

User

Tasks performed by users include the following:

  • Submitting print jobs
  • Managing print jobs they own (users cannot copy, move, reorder, or remove jobs they do not own)

To simplify administration, the container a printer resides in is automatically assigned as a user for that printer, so all users in that container and its subcontainers can use that printer without being added to the list. You can delete the container from the list if you want to limit access to certain users, groups, or roles.

Assigning Printer Access Control Roles through Printer Objects

Different User, Group, or Container objects can have different access rights to the same printer. For example, if you want only certain users to be able to send jobs to a particular printer, you can specify which users should have access and what access roles each will be given.

  1. In Novell iManager, click iPrint > Manage Printer.

  2. Browse to and select the printer you want to enable Access Control for.

  3. Click the Access Control tab.

  4. Add or delete Users, Groups, or Container objects to the different access control roles.

  5. Click OK.


Planning Your Printer Connections and Locations for Better Security

Depending on your organization's needs, the network administrator can attach printers directly to NetWare® servers or to the network. Both types of setup can provide security and administrative advantages. The ideal combination for each installation is different and will change as needs change. Be sure to consider the advantages of each approach when you set up your network.

Connecting the printer to the server places the two resources in close proximity to each other. If the server is in a secure location, this means that the printer is locked up with the server. This might be an advantage. For example, your company might use that printer to print confidential documents. Having the printer in a secure location protects these documents.

Because most printers are already networkenabled, the most common type of network setup includes printers attached directly to the network. This allows the printer to be placed in a convenient location for all users and places it away from the server for security reasons; users who use the printer normally will not have access to the server console. Security is still maintained by requiring users to use a password to log in to the network before they can use the printer.


Setting Access Control for the iPrint Manager

iPrint Manager security is ensured through the assignment of the manager access control role.


iPrint Manager Access Control Role

The only access control role available for the iPrint Manager is that of manager. The following table explains the tasks performed by the manager role.

Role Description

Manager

Tasks performed exclusively by the manager are those that require the creation, modification, or deletion of print system objects, as well as other eDirectory administrative functions. Typical manager functions include the following:

  • Creating Printer Agents and iPrint Manager objects
  • Adding or deleting operators and users for a printer
  • Adding other managers
  • Configuring interested-party notification
  • Creating, modifying, or deleting printer configurations

Assigning the Manager Role for iPrint Managers

  1. In Novell iManager, click iPrint > Manage Print Manager.

  2. Browse to and select the iPrint Manager you want to enable access control for.

  3. Click the Access Control tab.

  4. Add or delete Users, Groups, or containers to the manager role.

  5. Click OK.


Setting Access Control for the iPrint Driver Store

The iPrint Driver Store security is ensured through the assignment of the manager access control role.


Print Driver Store Access Control Roles

The access control roles available to the iPrint Driver Store are manager and public access user. The following table explains these roles.

Role Description

Manager

Tasks performed exclusively by the iPrint Driver Store manager are those that require the creation, modification, or deletion of Driver Store objects, as well as those that involve other eDirectory administrative functions. Typical manager functions include the following:

  • Creating, modifying, and deleting Driver Store objects
  • Adding other managers
  • Adding resources to the Driver Store

Public Access User

A public access user is a role assigned to all entities on the network which are users of resources provided by the Driver Store. This role is assigned by default and does not require specific administrative action by the Driver Store manager. Typically, iPrint Managers refresh their cached copies of printer drivers for the printers they are hosting with updated printer drivers from the Driver Store.

Assigning Managers for the iPrint Driver Store

  1. In Novell iManager, click iPrint > Manage Driver Store.

  2. Browse to and select the Driver Store you want to enable access control for.

  3. Click the Access Control tab.

  4. Add or delete Users, Groups, or Containers to the manager role.

  5. Click OK.