10.1 Setting Access Control for Your Print System

Your print system is designed to take full advantage of eDirectory. You receive all the benefits of eDirectory security and ease of management provided by the industry’s most advanced and robust directory service. The Access Control feature lets you specify the access that each User, Group, or Container object has to your printing resources. Currently, access control for printers is only supported on the Windows iPrint Client.

Access control roles are mutually exclusive, even though the same individual might need to perform tasks reserved for different roles. For example, only printer managers can add or delete printer operators or printer users. In a similar way, managers and operators must also be designated as users for a printer before they can submit print jobs to it.

In actual implementation, the defaults prevent most problems that might occur from these distinctions. For example, a manager is automatically designated an operator and user, and an operator of a printer is automatically designated a user of that printer.

The creator of an object is automatically granted privileges for all available roles for the type of object being created.

The following sections describe some of the security issues and features you might find useful as you plan your print system setup:

10.1.1 Setting Access Control for Printers

Printer security is ensured through the assignment of the manager, operator, and user access control roles and by the strategic placement of your printers and printer configurations.

You can assign multiple Printer objects to represent a single Printer Agent. You can then make different access control assignments to each Printer object. This can be an especially useful option if you want to allow users in different containers to use the same printer, because each group of users can be given different rights to the printer.

The following sections describe security options for printers in more detail:

Printer Access Control Roles

Different User, Group, or container objects can have different access rights to the same printer. For example, if you want only certain users to be able to send jobs to a particular printer, you can specify which users should have access and what access roles each user should have.

The following table describes the rights and privileges associated with each of the printer access control roles.

Table 10-1 Printer Access Control Roles

Role

Description

Manager

Tasks performed exclusively by the Manager are those that require the creation, modification, or deletion of objects, as well as other eDirectory administrative functions. Managers are automatically designated as Operators and Users, so they can perform all tasks assigned to those operator roles. Typical manager functions include the following:

  • Modifying and deleting Printer objects

  • Adding or deleting operators and users for a printer

  • Adding other managers

  • Configuring interested-party notification

  • Creating, modifying, or deleting printer configurations

Operator

Operators are automatically designated as Users, so they can perform all tasks assigned to Users roles. Printer management tasks performed by the operator include the following:

  • Performing all of the functions available through the Printer Control page

  • Pausing, restarting, or reinitializing printers

  • Reordering, moving, copying, and deleting jobs

  • Setting printer defaults, including locked properties

Operators cannot create, modify, or delete eDirectory objects or perform other eDirectory administrative functions.

User

Tasks performed by users include the following:

  • Submitting print jobs

  • Managing print jobs they own (users cannot copy, move, reorder, or remove jobs they do not own)

To simplify administration, the container a printer resides in is automatically assigned as a user for that printer, so all users in that container and its subcontainers can use that printer without being added to the list. You can delete the container from the list if you want to limit access to certain users, groups, or roles.

Assigning Printer Access Control Roles through Printer Objects

Different User, Group, or Container objects can have different access rights to the same printer. For example, if you want only certain users to be able to send jobs to a particular printer, you can specify which users should have access and what access roles each user should be given.

  1. In Novell iManager, click iPrint > Manage Printer.

  2. Browse to and select the printer you want to enable Access Control for.

  3. Click the Access Control tab.

  4. Add or delete Users, Groups, or Container objects to the different access control roles.

  5. Click OK.

10.1.2 Setting Access Control for the Print Manager

Print Manager security is ensured through the assignment of the manager access control role.

Print Manager Access Control Role

The only access control role available for the Print Manager is that of manager. The following table explains the tasks performed by the manager role.

Table 10-2 Print Manager Access Control Role

Role

Description

Manager

Tasks performed exclusively by the manager are those that require the creation, modification, or deletion of print system objects, as well as other eDirectory administrative functions. Typical manager functions include the following:

  • Creating Printer Agents and Print Manager objects

  • Adding or deleting operators and users for a printer

  • Adding other managers

  • Configuring interested-party notification

  • Creating, modifying, or deleting printer configurations

Assigning the Manager Role for Print Managers

To make manager assignments for your Print Manager objects:

  1. In Novell iManager, click iPrint > Manage Print Manager.

  2. Browse to and select the Print Manager you want to enable access control for.

  3. Click the Access Control tab.

  4. Add or delete Users, Groups, or containers to the manager role.

  5. Click OK.

10.1.3 Setting Access Control for the Driver Store

The Driver Store security is ensured through the assignment of the manager access control role.

Driver Store Access Control Roles

The access control roles available to the Driver Store are manager and public access user. The following table explains these roles.

Table 10-3 Driver Store Access Control Roles

Role

Description

Manager

Tasks performed exclusively by the Driver Store manager are those that require the creation, modification, or deletion of Driver Store objects, as well as those that involve other eDirectory administrative functions. Typical manager functions include the following:

  • Creating, modifying, and deleting Driver Store objects

  • Adding other managers

  • Adding resources to the Driver Store

Public Access User

A public access user is a role assigned to all entities on the network that are users of resources provided by the Driver Store. This role is assigned by default and does not require specific administrative action by the Driver Store manager. Typically, Print Managers refresh their cached copies of printer drivers for the printers they are hosting with updated printer drivers from the Driver Store.

Assigning Managers for the Driver Store

To make Manager assignments for your Driver Store objects:

  1. In Novell iManager, click iPrint > Manage Driver Store.

  2. Browse to and select the Driver Store you want to enable access control for.

  3. Click the Access Control tab.

  4. Add or delete Users, Groups, or Containers to the manager role.

  5. Click OK.