Understanding InfoPrint Manager Security

InfoPrint Manager Security, a feature that you administer through the InfoPrint Manager Management Interface (MMI), lets you protect your printing system by associating an Access Control List (ACL) with an InfoPrint Manager object or operation. An ACL is the list of users and groups who have permission to do something to or with an object. The ACL also refers to the type of permission.

Types of permission

In InfoPrint Manager, users can have three levels of permission: read, write, and delete. The levels provide these types of access:

For operations, the user can do the operation. For servers and queues, the user can view the attributes. If you restrict access to a server or queue, access to all objects contained by that server or queue is automatically restricted, even if the objects are not explicitly protected. For destinations, the user can view attributes and submit jobs to that destination.
  • To access an object contained by a server or a queue, you must have at least read permission for the higher-level object.
For all objects, the user can view and modify attributes.
For all objects, the user can view and modify attributes and can delete the object.

FST Users and Groups

When InfoPrint Manager is running in FST mode, the FST users and FST groups are required to manage the security of your printing system.

When InfoPrint Manager is first installed, three groups are created for you by default: acl_admin, admin, and oper. The user selected as authorized user during InfoPrint Manager installation is placed in the acl_admin group. To have the access necessary to modify the security characteristics, the user must be a member of the acl_admin group.

The users in the admin group have more default privileges from the users in the oper group: the possibility to create and delete InfoPrint Manager objects, and clean all the jobs associated with an InfoPrint Manager object.

Federated Authentication Overview

Federated authentication is a method of granting users secure access to InfoPrint Manager Web Management Interface and the InfoPrint Manager Web Administration Interface by relying on external identity providers (IdPs). Instead of managing separate user credentials within our system, federated authentication allows users to log in using their existing accounts from trusted third-party services.

  • InfoPrint Managerfederated authentication implementation is mapped on existing FST security groups.
  • When enabling federated authentication, FST or LDAP security continue to work as before.
  • Federated authentication can be used only for the Web Management Interface or the Web Administration Interface.
  • Federated authentication works only if you enabled https for the InfoPrint Manager web applications.

InfoPrint Manager supports the following federated authentication servers:

  • Active Directory Federation Services™ (AD FS)
  • Common Approach to Identity Assurance (CAIA)
  • Okta®

Mapping Federated Authentication groups to FST groups

When logging in through federated authentication, the groups passed by the federated authentication server for the user must match existing InfoPrint Manager FST groups. Those groups identify the access rights that the user will have in the system.

  • If you decide to bypass the standard (FST or LDAP) login for the web applications, make sure that at least one user has the acl_admin group attached in the federated authentication server. This setting allows the user to log in to Web Management Interface