No matter what size organization you work in, manually adding every user to every ACL can be a time-consuming process. To reduce some of the work, you can create security groups, groups of users who need to have the same levels of permission for the same objects. You use the name of the security group like a user ID; instead of adding each user ID to an ACL, you add the group name. For example, if you want all of your help desk operators to be able to perform the same operations, create a group and name it helpdesk. Then, add helpdesk to the appropriate ACLs.
When you install InfoPrint Manager, three security groups are created by default:
- acl_admin- Users who have authority to manage security by changing access control lists and groups. The default members are Administrator@* and the user who was logged on when InfoPrint Manager was installed (for example, myuserid@*).
- admin- Users who have administrator authority. The default members are Administrator@* and the user who was logged on when InfoPrint Manager was installed (for example, myuserid@*).
- oper- Users who have operator authority. The default member is Administrator@*.
- You can modify these groups as needed. In the example above, you could have simply added the help desk operators to the default oper group and modified any permissions that weren't set to the level that you wanted them.
- The default group members contain the wildcard character (*) for greater flexibility. See below for more information about wildcarding. If you do not want the Administrator user on other systems to be able to administer InfoPrint Manager, replace the * with the explicit address of the system that the InfoPrint Manager server is installed on, for example Administrator@serversystem.company.com.
You can add users to multiple groups, but you cannot make one group a member of another group. For example, if you hire five new print operators, you might create a group for them called trainees, since you only want them to have limited permissions until they are finished with their training. When they finish their training, you cannot add trainees as a member of the operators group. You will have to add their user IDs to the operators group one at a time. In addition, you will have to either delete the trainees group or delete the members from it— otherwise those users will have conflicting levels of permission.
When users are members of more than one group and each group has a different level of permission for a particular object, the most restrictive permission applies. In the example above, if you forgot to remove the new employees from the trainees group at the end of their training, they wouldn't be able to perform the tasks their job required- they would still be restricted.