Policy - User not in group

[angelb]

> Hello all.
>
> I've created my first policy, mktgtest, with an appropriate account,
> qadmin1, that has access to the policy but it's not working the way I
> thought it should.
>
> When trying to Disable or Enable a printer using the "qadmin1" account,
> it complains the account does not belong to "lp" group. The "lp" group
> happens to be in the default policy.
>
> My policy:
> <Policy mktgtest>
>  ...
>  # Requires authentication and group membership to qadmin
>  <Limit Pause-Printer Resume-Printer Set-Printer-Attributes
>         Enable-Printer Disable-PrinterDefault
>         ...>
>            AuthType Basic
>            Require group qadmin
>            Order deny,allow
>  </Limit>
>  ...
> </Policy>
>
> Printer config:
> <Printer 3668-0-p1>
> ...
> OpPolicy mktgtest
> ErrorPolicy stop-printer
> </Printer>
>
> User account: qadmin1
> [qadmin1 at stlam507 ~]$ id
> uid=1838(qadmin1) gid=1838(qadmin) groups=1838(qadmin)
>
> The account "qadmin1" is a member of group "qadmin" which is a group
> specified inside the Limits directive in the mktgtest policy. And, the
> printer, 3668-0-p1, qadmin1 is trying to modify is correctly assigned
> (using the lpadmin command) to the mktgtest policy. So, where have I
> gone wrong that prevents the group "qadmin" from being used?

Ok, it would appear I need to have the "qadmin" group included
in /admin. That allowed the user "qadmin1" to stop the printer. But
now, I'm confused why qadmin1 is allowed to stop or start, or any other
options, a printer even if the mktgtest policy only has the following
option:

 <Limit CUPS-Accept-Jobs>
        AuthType Basic
        Require group qadmin
        Order deny,allow
 </Limit>


Thanks,
Angel