This is not a finished work... Probably some stuff is wrong, but it lets me
run the printers with full access to all printers for those who know the
rcfadmin username and passwd, and give access to MPO divisional admins to
control the MPO printers.  This worked for me with 1.2.11, but not 1.2.10 as
distributed in RedHat FC6.

---  Setup Divison admins -----------------------------------------------

The 1.2.11 server supports departmental admins.  In /etc/cups/cupsd.conf, a
"policy" is set up for each division with an admin: e.g. the area

  <Policy mpodiv>
....
  <\Policy>

Use Digest authentication: set up /etc/cups/passwd.md5 using lppasswd.  A
user/passwd is set up for the division with "lppasswd" for mpoadmin/some-passwd
and the user is granted access in the <Policy mpodiv> area.
Set up passwds  for "root" and our admins (rcfadmin) in the same area.

Go to https://xen2:631. At any printers you want mpoadmin to have access,
select the (Printer Options) button.  Go near the bottom of the option page
and use the dropdown menu to select the Operation Policy for the division.
Save the setup.


--------/etc/cupsd.conf -------------------------
MaxLogSize 2000000000
## Show troubleshooting information in error_log.
#LogLevel debug
## Woging loglevel
LogLevel info
SystemGroup sys root
# Allow remote access.  
Port 631
## for local access only
#localhost:631 
Listen /var/run/cups/cups.sock
## Share local printers on the local network.
#Browsing on
#BrowseAddress @LOCAL
## RCF, turn off browsing.  Folks who want to use the printers put this server
##  in their /etc/cups/client.conf or set them up explicitly per their OS
Browsing off
BrowseDeny all
BrowseAllow none
BrowseOrder allow,deny

## RCF md5 authentication using passwd.md5.  Use lppasswd to set it up
DefaultAuthType Digest

<Location />
  # Allow shared printing and remote administration...
  Order allow,deny
  Allow from 192.168.96.0/19
  Allow from 192.168.2.0/24
  Allow from 192.168.3.0/24
</Location>

<Location /admin>
  Encryption Required
  # Allow remote administration from these addresses
  Order allow,deny
  Allow from 192.168.96.0/19
</Location>

<Location /admin/conf>
  AuthType Digest
# lpadmin is group in passwd.md5 file; rcfadmin, mpoadmin
## only want rcfadmin to alter general config files.  Want
## mpoadmin to be able to alter their printers.
##  Maybe shouldn't be here.  more testing needed
  Require user @SYSTEM rcfadmin mpoadmin
  # Allow remote access to the configuration files...
  Order allow,deny
  Allow 192.168.96.0/19
</Location>

<Policy default>
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
    Require user @OWNER @SYSTEM rcfadmin
    Order deny,allow
  </Limit>
  <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
    AuthType Digest
    Require user @SYSTEM rcfadmin
    Order deny,allow
  </Limit>
  <Limit CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM rcfadmin
    Order deny,allow
  </Limit>
  # Only the owner or an administrator can cancel a job...
  <Limit Cancel-Job>
    Order deny,allow
    Require user @OWNER @SYSTEM rcfadmin
  </Limit>
  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

<Policy mpodiv>
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
    Require user @OWNER @SYSTEM rcfadmin mpoadmin
    Order deny,allow
  </Limit>
  <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
    AuthType Digest
    Require user @SYSTEM rcfadmin mpoadmin
    Order deny,allow
  </Limit>
  <Limit CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM rcfadmin mpoadmin
    Order deny,allow
  </Limit>
  # Only the owner or an administrator can cancel a job...
  <Limit Cancel-Job>
    Order deny,allow
    Require user @OWNER @SYSTEM rcfadmin mpoadmin
  </Limit>
  <Limit All>
    Order deny,allow
  </Limit>
</Policy>