Types of permission
In InfoPrint Manager, users can have three levels of permission: read, write, and delete. The levels provide these types of access:
- Read
For operations, the user can do the operation. For servers and queues, the user can view the attributes. If you restrict access to a server or queue, access to all objects contained by that server or queue is automatically restricted, even if the objects are not explicitly protected. For destinations, the user can view attributes and submit jobs to that destination.
Note: To access an object contained by a server or a queue, you must have at least read permission for the higher-level object. - Write
For all objects, the user can view and modify attributes.
- Delete
For all objects, the user can view and modify attributes and can delete the object.
If you place user A on the ACL for the logical destination "print2ld" and give this user read permission, user A can send the print jobs to it and can open the “print2ld” object to see its properties. However, user A cannot make changes to those properties. If user A tried to change any of them or tried to delete the destination, user A would receive an error message. If you decide that user A needs to be able to do more and give them write permission as well, user A will be able to change the properties of “print2ld,” but still will not be able to delete it.
- Important:
- If you protect a destination (logical or actual) so that only certain users can modify or delete its properties, you might inadvertently prevent other users from submitting print jobs to it. To be sure that all of your users can still print to the destination, add the wildcard character (*) to the ACL as a user with read permission.
You can also attach ACLs to the operations that you can do on InfoPrint objects. Allowing you to protect both operations and objects means that InfoPrint Manager Security provides different levels of security: you can protect all objects by using ACLs at the operation level or you can protect individual objects with ACLs applied only to them. Or you can do both: protect all objects by using operation-level ACLs for some operations and limit access to sub-sets of objects by using object-level ACLs.
All InfoPrint object names, including security groups and ACL members, are case-sensitive.
For operations, there is only one level of permission: read. If a user has read permission, they can perform that action; if the user does not, they cannot perform the action. For example, user B is a printer operator and must be able to move jobs to different positions in the print queue because some jobs need to be printed before others. You can give user B read permission for the operation Reorder Job to allow the user to do their job. On the other hand, user C submits print jobs from their office workstation and does not like to wait for the jobs ahead of theirs in the queue to print. To prevent user C from moving jobs, do not put user C on the ACL for the Reorder Job operation. When user C tries to move their job to the top of the queue, the action will be denied.
When you install InfoPrint Manager, many operations are already protected so that only members of the admin and opergroups can do them. You can see the ACLs for operations in the Management Interface by selecting the Security-ACL-Operations item in the left pane. If you want users to be able to do those operations, you must either add those users to the individual ACLs or to a group that has permission (either the existing admin and oper groups or a new group that you create).
If the object has an ACL the permission needed depends on the operation. For example, List requires read, Set requires write, and Delete requires delete.