Types of permission

In InfoPrint Manager, users can have three levels of permission: read, write, and delete. The levels provide these types of access:

  • Read

    For operations, the user can do the operation. For servers and queues, the user can view the attributes. For destinations, the user can view attributes and submit jobs to that destination.

  • Write

    For all objects, the user can view and modify attributes.

  • Delete

    For all objects, the user can view and modify attributes and can delete the object.

If you place userA on the ACL for the logical destination “print2ld” and give her read permission, she can send her print jobs to it and can open the “print2ld” object to see its properties. However, she cannot make changes to those properties. If she tried to change any of them or tried to delete the destination, she would receive an error message. If you decide that userA needs to be able to do more and give her write permission as well, she will be able to change the properties of “print2ld,” but still will not be able to delete it.

Important: If you protect a destination (logical or actual) so that only certain users can modify or delete its properties, you might inadvertantly prevent other users from submitting print jobs to it. To be sure that all of your users can still print to the destination, add the wildcard character (*) to the ACL as a user with read permission.

You can also attach ACLs to the operations that you can do on InfoPrint objects. Allowing you to protect both operations and objects means that InfoPrint Manager Security provides different levels of security: you can protect all objects by using ACLs at the operation level or you can protect individual objects with ACLs applied only to them. Or you can do both: protect all objects by using operation-level ACLs for some operations and limit access to sub-sets of objects by using object-level ACLs.

All InfoPrint object names, including security groups and ACL members, are case-sensitive.

For operations, there is only one level of permission: read. If a user has read permission, they can do that action; if he does not, he cannot do the action. For example, userB is a printer operator and must be able to move jobs to different positions in the print queue because some jobs need to be printed before others. You can give userB read permission for the operation Reorder Job to allow him to do his job. On the other hand, userC submits print jobs from his office workstation and does not like to wait for the jobs ahead of his in the queue to print. If you want to prevent him from moving jobs, do not put him on the ACL for the Reorder Job operation. When he tries to move his job to the top of the queue, the action will be denied.

When you install InfoPrint Manager, many operations are already protected so that only members of the admin and oper groups can do them. You can see the ACLs for operations in the Management Console by selecting the Security-ACL-Operations item in the left pane. If you want users to be able to do those operations, you must either add those users to the individual ACLs or to a group that has permission (either the existing admin and oper groups or a new group that you create).

Note: If an object is protected, a user can only do an operation on that object if he has both read permission for the operation and the appropriate level of permission for the object. If the object is not protected, only users in the default admin or oper groups are able to do the action. If a user is added to a non-standard group, they are not able to do the action unless they are the owner of the job in question.

If the object has an ACL the permission needed depends on the operation. For example, List requires read, Set requires write, and Delete requires delete.