Printers Group - for Access Control

Kurt Pfeifle k1pfeifle at gmx.net
Wed Nov 21 14:37:05 PST 2007


angelb wrote:

> Is there a way to delegate a number of printer queues to a specific
> group only? In other words, if I have a server that serves printers
> for accounting and marketing, can I delegate acctng group to administer
> printers that belongs only to accounting and not have access to
> printers in mktg?

That's what "policies" (defined in cupsd.conf as you require)
are for....


2 Examples:
===========

(Examples also assume your CUPS is part of a Windows domain called
"BUGARIN_ALL", joined with the help of Samba...)

# ----------------------------- begin HR printer/job policies... -------------------------------
<Policy accounting_printers>

  # Some Job-creating operations must be done by certain users and members of the specific group...
  # Allowed local system group denoted by macro "@SYSTEM"
  # Allowed Samba/Domain group names: "@BUGARIN_ALL\accounting"
  #                                   "@BUGARIN_ALL\accounting_trainee"
  # Allowed Samba/Domain user names:  "BUGARIN_ALL\angel"
  #                                   "BUGARIN_ALL\guest_acct"
  # notice the required '@' to mark group names in the following directives
  <Limit Create-Job Print-Job Send-Document Send-URI Set-Job-Attributes>
    Require user @SYSTEM BUGARIN_ALL\angel @BUGARIN_ALL\accounting BUGARIN_ALL\guest_acct @BUGARIN_ALL\accounting_trainee
    Order deny,allow
  </Limit>

  # Other Job-related, administrative operations must be done by the owner or an administrator...
  # Allowed local system group denoted by macro "@SYSTEM"
  # Job owner denoted by macro "@OWNER"
  # Allowed Samba/Domain group names: "@BUGARIN_ALL\site_admins"
  #                                   "@BUGARIN_ALL\domain admins"   # Windows builtin group
  # Allowed Samba/Domain user names:  "BUGARIN_ALL\angel"
  #                                   "BUGARIN_ALL\guest_acct"
  # notice the required quotes if the Samba group name contains spaces
  <Limit Hold-Job Release-Job Restart-Job Purge-Jobs Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job
Cancel-Current-Job Suspend-Current-Job Resume-Job>
    Require user @OWNER @SYSTEM BUGARIN_ALL\angel @BUGARIN_ALL\site_admins "@BUGARIN_ALL\domain admins"
    Order deny,allow
  </Limit>

  # Some administrative operations require the allowed users to authenticate...
  # Allowed local system group denoted by macro "@SYSTEM"
  # Allowed Samba/Domain group names: "@BUGARIN_ALL\site_admins"
  #                                   "@BUGARIN_ALL\domain admins"   # Windows builtin group
  <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs
Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After
CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
    AuthType Basic
    Require user @SYSTEM @BUGARIN_ALL\site_admins "@BUGARIN_ALL\domain admins"
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  # Allowed local system group denoted by macro "@SYSTEM"
  # Job owner denoted by macro "@OWNER"
  # Allowed Samba/Domain group names: "@BUGARIN_ALL\printer_admins"
  #                                   "@BUGARIN_ALL\site_admins"
  #                                   "@BUGARIN_ALL\domain admins"   # Windows builtin group
  # notice the required quotes if the Samba group name contains spaces
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM @BUGARIN_ALL\printer_admins @BUGARIN_ALL\site_admins "@BUGARIN_ALL\domain admins"
    Order deny,allow
  </Limit>

  <Limit All>
    Order deny,allow
  </Limit>
</Policy>
# ------------------------------- end HR printer/job policies... -------------------------------



# --------------------------- begin "only_from_localhost" policy... -------------------------------
<Policy only_from_localhost>
  <Limit All>
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1
  </Limit>
</Policy>
# ----------------------------- end "only_from_localhost" policy... -------------------------------


If you put these policy definitions (and some more, as you require)
into your cupsd.conf, you'll have them as choice for a possible
"operation policy" in the web interface for each printer's configu-
ration:
  * accounting_printers
  * only_from_localhost

Simply select the appropriate "operation policy" for each printer.

Printers controled by the policy "only_from_localhost" can only be
accessed by users who submit a job from the CUPS host. (Depending on
your smb.conf, your domain and user names will pass the prefix of
"BUGARIN_ALL\" to CUPS as part of their names. That is OK. Depending
on your setup and your smb.conf, all Samba-submitted jobs may also
appear to be originating from localhost; this may be your intention
or not, so be careful with the "only_from_localhost" policy.)

You can define and use any number of different policies you want.

> This would almost look like the Classes feature. With Printers Group,
> I would create a group, say Accntg, and add printers into that group
> and assign users or groups authorized to make changes. This way, I
> could setup access controls for multiple groups of printers so that
> users or groups who belong in different departments can only see and
> control what they are allowed.

What CUPS provides now (policies) lets users and groups only control
what they are allowed to. However, all users and groups will still
*see* all printers.

To make it more obvious to users which printers they can use, your
only choice is to use a descriptive name for the queue, a "descriptive"
description string, a descriptive location string.

For KDE users you can add filters so that users only have those in
their drop down list of available printers which they are meant to
use.

> At the moment, I have thousands of printer queues from different
> departments and don't know of any way to do this.
> 
> I apologize if a simillar question has already been posted but I did
> searched the forum and have not seen anything related.
> 
> Any idea or suggestion is appreciated.

-- 
Kurt Pfeifle
System & Network Printing Consultant ---- Linux/Unix/Windows/Samba/CUPS
Infotec Deutschland GmbH  .....................  Hedelfinger Strasse 58
A RICOH Company  ...........................  D-70327 Stuttgart/Germany




More information about the cups mailing list