Printers Group - for Access Control
Kurt Pfeifle
k1pfeifle at gmx.net
Wed Nov 21 14:37:05 PST 2007
angelb wrote:
> Is there a way to delegate a number of printer queues to a specific
> group only? In other words, if I have a server that serves printers
> for accounting and marketing, can I delegate acctng group to administer
> printers that belongs only to accounting and not have access to
> printers in mktg?
That's what "policies" (defined in cupsd.conf as you require)
are for....
2 Examples:
===========
(Examples also assume your CUPS is part of a Windows domain called
"BUGARIN_ALL", joined with the help of Samba...)
# ----------------------------- begin HR printer/job policies... -------------------------------
<Policy accounting_printers>
# Some Job-creating operations must be done by certain users and members of the specific group...
# Allowed local system group denoted by macro "@SYSTEM"
# Allowed Samba/Domain group names: "@BUGARIN_ALL\accounting"
# "@BUGARIN_ALL\accounting_trainee"
# Allowed Samba/Domain user names: "BUGARIN_ALL\angel"
# "BUGARIN_ALL\guest_acct"
# notice the required '@' to mark group names in the following directives
<Limit Create-Job Print-Job Send-Document Send-URI Set-Job-Attributes>
Require user @SYSTEM BUGARIN_ALL\angel @BUGARIN_ALL\accounting BUGARIN_ALL\guest_acct @BUGARIN_ALL\accounting_trainee
Order deny,allow
</Limit>
# Other Job-related, administrative operations must be done by the owner or an administrator...
# Allowed local system group denoted by macro "@SYSTEM"
# Job owner denoted by macro "@OWNER"
# Allowed Samba/Domain group names: "@BUGARIN_ALL\site_admins"
# "@BUGARIN_ALL\domain admins" # Windows builtin group
# Allowed Samba/Domain user names: "BUGARIN_ALL\angel"
# "BUGARIN_ALL\guest_acct"
# notice the required quotes if the Samba group name contains spaces
<Limit Hold-Job Release-Job Restart-Job Purge-Jobs Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job
Cancel-Current-Job Suspend-Current-Job Resume-Job>
Require user @OWNER @SYSTEM BUGARIN_ALL\angel @BUGARIN_ALL\site_admins "@BUGARIN_ALL\domain admins"
Order deny,allow
</Limit>
# Some administrative operations require the allowed users to authenticate...
# Allowed local system group denoted by macro "@SYSTEM"
# Allowed Samba/Domain group names: "@BUGARIN_ALL\site_admins"
# "@BUGARIN_ALL\domain admins" # Windows builtin group
<Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs
Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After
CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
AuthType Basic
Require user @SYSTEM @BUGARIN_ALL\site_admins "@BUGARIN_ALL\domain admins"
Order deny,allow
</Limit>
# Only the owner or an administrator can cancel or authenticate a job...
# Allowed local system group denoted by macro "@SYSTEM"
# Job owner denoted by macro "@OWNER"
# Allowed Samba/Domain group names: "@BUGARIN_ALL\printer_admins"
# "@BUGARIN_ALL\site_admins"
# "@BUGARIN_ALL\domain admins" # Windows builtin group
# notice the required quotes if the Samba group name contains spaces
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM @BUGARIN_ALL\printer_admins @BUGARIN_ALL\site_admins "@BUGARIN_ALL\domain admins"
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
# ------------------------------- end HR printer/job policies... -------------------------------
# --------------------------- begin "only_from_localhost" policy... -------------------------------
<Policy only_from_localhost>
<Limit All>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Limit>
</Policy>
# ----------------------------- end "only_from_localhost" policy... -------------------------------
If you put these policy definitions (and some more, as you require)
into your cupsd.conf, you'll have them as choice for a possible
"operation policy" in the web interface for each printer's configu-
ration:
* accounting_printers
* only_from_localhost
Simply select the appropriate "operation policy" for each printer.
Printers controled by the policy "only_from_localhost" can only be
accessed by users who submit a job from the CUPS host. (Depending on
your smb.conf, your domain and user names will pass the prefix of
"BUGARIN_ALL\" to CUPS as part of their names. That is OK. Depending
on your setup and your smb.conf, all Samba-submitted jobs may also
appear to be originating from localhost; this may be your intention
or not, so be careful with the "only_from_localhost" policy.)
You can define and use any number of different policies you want.
> This would almost look like the Classes feature. With Printers Group,
> I would create a group, say Accntg, and add printers into that group
> and assign users or groups authorized to make changes. This way, I
> could setup access controls for multiple groups of printers so that
> users or groups who belong in different departments can only see and
> control what they are allowed.
What CUPS provides now (policies) lets users and groups only control
what they are allowed to. However, all users and groups will still
*see* all printers.
To make it more obvious to users which printers they can use, your
only choice is to use a descriptive name for the queue, a "descriptive"
description string, a descriptive location string.
For KDE users you can add filters so that users only have those in
their drop down list of available printers which they are meant to
use.
> At the moment, I have thousands of printer queues from different
> departments and don't know of any way to do this.
>
> I apologize if a simillar question has already been posted but I did
> searched the forum and have not seen anything related.
>
> Any idea or suggestion is appreciated.
--
Kurt Pfeifle
System & Network Printing Consultant ---- Linux/Unix/Windows/Samba/CUPS
Infotec Deutschland GmbH ..................... Hedelfinger Strasse 58
A RICOH Company ........................... D-70327 Stuttgart/Germany
More information about the cups
mailing list