| <HTML> |
| <!-- SECTION: Getting Started --> |
| <HEAD> |
| <TITLE>Managing Operation Policies</TITLE> |
| </HEAD> |
| <BODY> |
| |
| <P>Operation policies are the rules used for each IPP operation |
| in CUPS. These rules include things like "user must provide a |
| password", "user must be in the system group", "allow only from |
| the local system", and so forth. Until CUPS 1.2, these rules were |
| largely hardcoded and could only be customized at a very basic |
| level.</P> |
| |
| <P>CUPS 1.2 adds a new fine-grained policy layer which allows you |
| to completely redefine the rules for each operation and/or |
| printer. Each policy is named and defines access control rules |
| for each IPP operation. This document describes how to manage |
| policies and their rules.</P> |
| |
| <H2 CLASS="title"><A NAME="BASICS">The Basics</A></H2> |
| |
| <P>Operation policies are used for all IPP requests sent to the |
| scheduler and are evaluated <em>after</em> the <A |
| HREF="ref-cupsd-conf.html#Location"><TT>Location</TT></A> based |
| access control rules. This means that operation policies can only |
| add additional security restrictions to a request, never relax |
| them. Use <TT>Location</TT> based access control rules for |
| server-wide limits and operation policies for limits on |
| individual printers, tasks, or services.</P> |
| |
| <P>Policies are stored in the <VAR>cupsd.conf</VAR> file in <A |
| HREF="ref-cupsd-conf.html#Policy"><TT>Policy</TT></A> sections. |
| Each policy has an alphanumeric name that is used to select it. |
| Inside the policy section are one or more <A |
| HREF="ref-cupsd-conf.html#LimitIPP"><TT>Limit</TT></A> |
| subsections which list the operations that are affected by the |
| rules inside it. <A HREF="#LISTING01">Listing 1</A> shows the |
| default operation policy, appropriately called "default", that is |
| shipped with CUPS.</P> |
| |
| <P>The easiest way to add a policy to the <VAR>cupsd.conf</VAR> |
| file is to use the web interface. Click on the |
| <VAR>Administration</VAR> tab and then the <VAR>Edit |
| Configuration File</VAR> button to edit the current |
| <VAR>cupsd.conf</VAR> file. Click on the <VAR>Save Changes</VAR> |
| button to save the changes and restart the scheduler. If you edit |
| the <VAR>cupsd.conf</VAR> file from the console, make sure to <A |
| HREF="ref-cupsd-conf.html">restart the cupsd process</A> before |
| trying to use the new policy.</P> |
| |
| <PRE CLASS="command"> |
| <EM>Listing 1: <A NAME="LISTING01">Default Operation Policy</A></EM> |
| |
| 1 <Policy default> |
| 2 # Job-related operations must be done by the owner or an |
| administrator... |
| 3 <Limit Send-Document Send-URI Hold-Job Release-Job |
| Restart-Job Purge-Jobs Set-Job-Attributes |
| Create-Job-Subscription Renew-Subscription |
| Cancel-Subscription Get-Notifications Reprocess-Job |
| Cancel-Current-Job Suspend-Current-Job Resume-Job |
| CUPS-Move-Job> |
| 4 Require user @OWNER @SYSTEM |
| 5 Order deny,allow |
| 6 </Limit> |
| 7 |
| 8 # All administration operations require an administrator |
| to authenticate... |
| 9 <Limit CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class |
| CUPS-Delete-Class CUPS-Set-Default> |
| 10 AuthType Default |
| 11 Require user @SYSTEM |
| 12 Order deny,allow |
| 13 </Limit> |
| 14 |
| 15 # All printer operations require a printer operator |
| to authenticate... |
| 16 <Limit Pause-Printer Resume-Printer |
| Set-Printer-Attributes Enable-Printer Disable-Printer |
| Pause-Printer-After-Current-Job Hold-New-Jobs |
| Release-Held-New-Jobs Deactivate-Printer Activate-Printer |
| Restart-Printer Shutdown-Printer Startup-Printer |
| Promote-Job Schedule-Job-After CUPS-Accept-Jobs |
| CUPS-Reject-Jobs> |
| 17 AuthType Default |
| 18 Require user <em>varies by OS</em> |
| 19 Order deny,allow |
| 20 </Limit> |
| 21 |
| 22 # Only the owner or an administrator can cancel or |
| authenticate a job... |
| 23 <Limit Cancel-Job CUPS-Authenticate-Job> |
| 24 Require user @OWNER @SYSTEM |
| 25 Order deny,allow |
| 26 </Limit> |
| 27 |
| 28 <Limit All> |
| 29 Order deny,allow |
| 30 </Limit> |
| 31 </Policy> |
| </PRE> |
| |
| <H3>The Default CUPS Operation Policy</H3> |
| |
| <P>The policy definition starts with an opening <TT>Policy</TT> |
| directive:</P> |
| |
| <PRE CLASS="command"> |
| 1 <Policy default> |
| </PRE> |
| |
| <P>The first <TT>Limit</TT> subsection defines the rules for IPP |
| job operations:</P> |
| |
| <PRE CLASS="command"> |
| 3 <Limit Send-Document Send-URI Hold-Job Release-Job |
| Restart-Job Purge-Jobs Set-Job-Attributes |
| Create-Job-Subscription Renew-Subscription |
| Cancel-Subscription Get-Notifications Reprocess-Job |
| Cancel-Current-Job Suspend-Current-Job Resume-Job |
| CUPS-Move-Job> |
| 4 Require user @OWNER @SYSTEM |
| 5 Order deny,allow |
| 6 </Limit> |
| </PRE> |
| |
| <P>The operation names are listed on a single line |
| with spaces separating them. Each name corresponds to the IPP |
| operation described in any of the IETF or PWG standards documents |
| for the Internet Printing Protocol. <A HREF="#TABLE01">Table |
| 1</A> lists all of the operations that have been defined along |
| with their usage in CUPS.</P> |
| |
| <P>The access control rules are listed after the <TT>Limit</TT> |
| line and are the same as those used for <A |
| HREF="ref-cupsd-conf.html#Location"><TT>Location</TT></A> |
| sections. In this case, we require the owner of the job |
| ("@OWNER") or a member of the <A |
| HREF="ref-cupsd-conf.html#SystemGroup"><TT>SystemGroup</TT></A> |
| ("@SYSTEM") to do the operation. Because we do not include an <A |
| HREF="ref-cupsd-conf.html#AuthType"><TT>AuthType</TT></A> |
| directive here, the user information can come from the IPP |
| request itself or the authenticated username from the HTTP |
| request. The administrative operations starting on line 9, |
| however, <em>do</em> use the <TT>AuthType</TT> directive, and so |
| administrative operations need to be authenticated:</P> |
| |
| <PRE CLASS="command"> |
| 9 <Limit CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class |
| CUPS-Delete-Class CUPS-Set-Default> |
| 10 AuthType Default |
| 11 Require user @SYSTEM |
| 12 Order deny,allow |
| 13 </Limit> |
| 14 |
| 15 # All printer operations require a printer operator |
| to authenticate... |
| 16 <Limit Pause-Printer Resume-Printer |
| Set-Printer-Attributes Enable-Printer Disable-Printer |
| Pause-Printer-After-Current-Job Hold-New-Jobs |
| Release-Held-New-Jobs Deactivate-Printer Activate-Printer |
| Restart-Printer Shutdown-Printer Startup-Printer |
| Promote-Job Schedule-Job-After CUPS-Accept-Jobs |
| CUPS-Reject-Jobs> |
| 17 AuthType Default |
| 18 Require user <em>varies by OS</em> |
| 19 Order deny,allow |
| 20 </Limit> |
| </PRE> |
| |
| <P>The "Order deny,allow" line at the end of both <TT>Limit</TT> |
| subsections allows the request to come from any system allowed by |
| the <TT>Location</TT> sections elsewhere in the |
| <VAR>cupsd.conf</VAR> file.</P> |
| |
| <P>The <TT>Cancel-Job</TT> and <TT>CUPS-Authenticate-Job</TT> |
| operations are listed separately to allow the web interface to |
| more easily edit their policy without disturbing the rest. Like |
| the rest of the job operations, we want the job's owner |
| ("@OWNER") or an administrator ("@SYSTEM") to do it:</P> |
| |
| <PRE CLASS="command"> |
| 16 <Limit Cancel-Job CUPS-Authenticate-Job> |
| 17 Require user @OWNER @SYSTEM |
| 18 Order deny,allow |
| 19 </Limit> |
| </PRE> |
| |
| <P>The last <TT>Limit</TT> subsection in any policy uses the |
| special operation name <TT>All</TT>. CUPS will use the rules in |
| this subsection for any operation you don't list specifically in |
| the policy. In this case, all other operations are allowed |
| without a username or authentication:</P> |
| |
| <PRE CLASS="command"> |
| 21 <Limit All> |
| 22 Order deny,allow |
| 23 </Limit> |
| 24 </Policy> |
| </PRE> |
| |
| |
| <DIV CLASS="table"><TABLE WIDTH="80%" SUMMARY="IPP Operation Names"> |
| <CAPTION>Table 1: <A NAME="TABLE01">IPP Operation Names</A></CAPTION> |
| <THEAD> |
| <TR> |
| <TH>Name</TH> |
| <TH>Used by CUPS?</TH> |
| <TH>Description</TH> |
| </TR> |
| </THEAD> |
| <TBODY> |
| <TR> |
| <TD NOWRAP><TT>Print-Job</TT></TD> |
| <TD>Yes</TD> |
| <TD>Creates a print job with a single file.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Print-URI</TT></TD> |
| <TD>No</TD> |
| <TD>Create a print job with a single URI.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Validate-Job</TT></TD> |
| <TD>Yes</TD> |
| <TD>Validates a print request before printing.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Create-Job</TT></TD> |
| <TD>Yes</TD> |
| <TD>Creates a print job with no files or URIs.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Send-Document</TT></TD> |
| <TD>Yes</TD> |
| <TD>Adds a file to a print job.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Send-URI</TT></TD> |
| <TD>No</TD> |
| <TD>Adds a URI to a print job.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Cancel-Job</TT></TD> |
| <TD>Yes</TD> |
| <TD>Cancels a print job.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Get-Job-Attributes</TT></TD> |
| <TD>Yes</TD> |
| <TD>Gets information and options associated with a job.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Get-Jobs</TT></TD> |
| <TD>Yes</TD> |
| <TD>Gets a list of jobs.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Get-Printer-Attributes</TT></TD> |
| <TD>Yes</TD> |
| <TD>Gets information and options associated with a printer or class.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Hold-Job</TT></TD> |
| <TD>Yes</TD> |
| <TD>Holds a print job for printing.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Release-Job</TT></TD> |
| <TD>Yes</TD> |
| <TD>Releases a print job for printing.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Restart-Job</TT></TD> |
| <TD>Yes</TD> |
| <TD>Reprints a print job.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Pause-Printer</TT></TD> |
| <TD>Yes</TD> |
| <TD>Stops a printer or class.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Resume-Printer</TT></TD> |
| <TD>Yes</TD> |
| <TD>Starts a printer or class.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Purge-Jobs</TT></TD> |
| <TD>Yes</TD> |
| <TD>Cancels all jobs on the server or a printer or class |
| and removes the job history information.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Set-Printer-Attributes</TT></TD> |
| <TD>No</TD> |
| <TD>Sets printer or class information; CUPS uses |
| CUPS-Add-Modify-Printer and CUPS-Add-Modify-Class |
| instead.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Set-Job-Attributes</TT></TD> |
| <TD>Yes</TD> |
| <TD>Changes job options.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Get-Printer-Supported-Values</TT></TD> |
| <TD>No</TD> |
| <TD>Gets -supported attributes for a printer based on job |
| options.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Create-Printer-Subscription</TT></TD> |
| <TD>Yes</TD> |
| <TD>Creates an event subscription for a printer or the server.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Create-Job-Subscription</TT></TD> |
| <TD>Yes</TD> |
| <TD>Creates an event subscription for a job.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Get-Subscription-Attributes</TT></TD> |
| <TD>Yes</TD> |
| <TD>Gets information for an event subscription.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Get-Subscriptions</TT></TD> |
| <TD>Yes</TD> |
| <TD>Gets a list of event subscriptions.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Renew-Subscription</TT></TD> |
| <TD>Yes</TD> |
| <TD>Renews an event subscription that is about to expire.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Cancel-Subscription</TT></TD> |
| <TD>Yes</TD> |
| <TD>Cancels an event subscription.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Get-Notifications</TT></TD> |
| <TD>Yes</TD> |
| <TD>Gets (pending) events for an event subscription.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Send-Notifications</TT></TD> |
| <TD>No</TD> |
| <TD>Sends events for an event subscription.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Get-Printer-Support-Files</TT></TD> |
| <TD>No</TD> |
| <TD>Gets printer driver files for a Novell client.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Enable-Printer</TT></TD> |
| <TD>Yes</TD> |
| <TD>Starts a printer or class.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Disable-Printer</TT></TD> |
| <TD>Yes</TD> |
| <TD>Stops a printer or class.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Pause-Printer-After-Current-Job</TT></TD> |
| <TD>No</TD> |
| <TD>Stops a printer or class after the current job is finished.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Hold-New-Jobs</TT></TD> |
| <TD>No</TD> |
| <TD>Holds new jobs submitted to a printer or class.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Release-Held-New-Jobs</TT></TD> |
| <TD>No</TD> |
| <TD>Releases jobs that were held because of the |
| Hold-New-Jobs operation.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Deactivate-Printer</TT></TD> |
| <TD>No</TD> |
| <TD>Deactivates a printer or class.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Activate-Printer</TT></TD> |
| <TD>No</TD> |
| <TD>Activates a printer or class.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Restart-Printer</TT></TD> |
| <TD>No</TD> |
| <TD>Restarts a printer or class, resuming print jobs as needed.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Shutdown-Printer</TT></TD> |
| <TD>No</TD> |
| <TD>Powers a printer or class off.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Startup-Printer</TT></TD> |
| <TD>No</TD> |
| <TD>Powers a printer or class on.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Reprocess-Job</TT></TD> |
| <TD>No</TD> |
| <TD>Reprints a job on a different printer or class; CUPS has the |
| CUPS-Move-Job operation instead.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Cancel-Current-Job</TT></TD> |
| <TD>No</TD> |
| <TD>Cancels the current job on a printer or class.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Suspend-Current-Job</TT></TD> |
| <TD>No</TD> |
| <TD>Stops the current job on a printer or class.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Resume-Job</TT></TD> |
| <TD>No</TD> |
| <TD>Resumes printing of a stopped job.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Promote-Job</TT></TD> |
| <TD>No</TD> |
| <TD>Prints a job before others.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>Schedule-Job-After</TT></TD> |
| <TD>No</TD> |
| <TD>Prints a job after others.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>CUPS-Get-Default</TT></TD> |
| <TD>Yes</TD> |
| <TD>Gets the server/network default printer or class.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>CUPS-Get-Printers</TT></TD> |
| <TD>Yes</TD> |
| <TD>Gets a list of printers and/or classes.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>CUPS-Add-Modify-Printer</TT></TD> |
| <TD>Yes</TD> |
| <TD>Adds or modifies a printer.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>CUPS-Delete-Printer</TT></TD> |
| <TD>Yes</TD> |
| <TD>Removes a printer.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>CUPS-Get-Classes</TT></TD> |
| <TD>Yes</TD> |
| <TD>Gets a list of classes.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>CUPS-Add-Modify-Class</TT></TD> |
| <TD>Yes</TD> |
| <TD>Adds or modifies a class.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>CUPS-Delete-Class</TT></TD> |
| <TD>Yes</TD> |
| <TD>Removes a class.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>CUPS-Accept-Jobs</TT></TD> |
| <TD>Yes</TD> |
| <TD>Sets a printer's or class' printer-is-accepting-jobs |
| attribute to true.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>CUPS-Reject-Jobs</TT></TD> |
| <TD>Yes</TD> |
| <TD>Sets a printer's or class' printer-is-accepting-jobs |
| attribute to false.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>CUPS-Set-Default</TT></TD> |
| <TD>Yes</TD> |
| <TD>Sets the server/network default printer or class.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>CUPS-Get-Devices</TT></TD> |
| <TD>Yes</TD> |
| <TD>Gets a list of printer devices.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>CUPS-Get-PPDs</TT></TD> |
| <TD>Yes</TD> |
| <TD>Gets a list of printer drivers or manufacturers.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>CUPS-Move-Job</TT></TD> |
| <TD>Yes</TD> |
| <TD>Moves a job to a different printer or class.</TD> |
| </TR> |
| <TR> |
| <TD NOWRAP><TT>CUPS-Authenticate-Job</TT></TD> |
| <TD>Yes</TD> |
| <TD>Authenticates a job for printing.</TD> |
| </TR> |
| </TBODY> |
| </TABLE></DIV> |
| |
| |
| <H2 CLASS="title"><A NAME="CREATING">Creating Your Own Policies</A></H2> |
| |
| <P>The easiest way to create a new policy is to start with the |
| default policy and then make changes to the copy. The first |
| change you'll make is to give the policy a new name. Policy names |
| can use the same characters as a printer name, specifically all |
| printable characters except space, slash (/), and pound (#):</P> |
| |
| <PRE CLASS="command"> |
| <Policy mypolicy> |
| </PRE> |
| |
| <P>Then you need to decide exactly what limits you want for the |
| policy. For example, if you want to allow any user to cancel any |
| other users' jobs, you can change the <TT>Cancel-Job</TT> limits |
| to:</P> |
| |
| <PRE CLASS="command"> |
| <Limit Cancel-Job> |
| Order deny,allow |
| </Limit> |
| </PRE> |
| |
| <P>The directives inside the <TT>Limit</TT> subsection can use |
| any of the normal limiting directives: <A |
| HREF="ref-cupsd-conf.html#Allow"><TT>Allow</TT></A>, <A |
| HREF="ref-cupsd-conf.html#AuthType"><TT>AuthType</TT></A>, <A |
| HREF="ref-cupsd-conf.html#Deny"><TT>Deny</TT></A>, <A |
| HREF="ref-cupsd-conf.html#Encryption"><TT>Encryption</TT></A>, <A |
| HREF="ref-cupsd-conf.html#Require"><TT>Require</TT></A>, and <A |
| HREF="ref-cupsd-conf.html#Satisfy"><TT>Satisfy</TT></A>. <A |
| HREF="#TABLE02">Table 2</A> lists some basic "recipes" for |
| different access control rules.</P> |
| |
| <DIV CLASS="table"><TABLE WIDTH="80%" SUMMARY="Access Control Recipes"> |
| <CAPTION>Table 2: <A NAME="TABLE02">Access Control Recipes</A></CAPTION> |
| <THEAD> |
| <TR> |
| <TH>Access Level</TH> |
| <TH>Directives to Use</TH> |
| </TR> |
| </THEAD> |
| <TBODY> |
| <TR> |
| <TD>Allow Everyone</TD> |
| <TD><PRE>Order deny,allow |
| Allow from all</PRE></TD> |
| </TR> |
| <TR> |
| <TD>Allow Everyone on the Local Network</TD> |
| <TD><PRE>Order deny,allow |
| Allow from @LOCAL</PRE></TD> |
| </TR> |
| <TR> |
| <TD>Deny Everyone/Disable Operation(s)</TD> |
| <TD><PRE>Order allow,deny |
| Deny from all</PRE></TD> |
| </TR> |
| <TR> |
| <TD>Require Login (System) Password</TD> |
| <TD><PRE>AuthType Basic</PRE></TD> |
| </TR> |
| <TR> |
| <TD>Require CUPS (lppasswd) Password</TD> |
| <TD><PRE>AuthType BasicDigest</PRE></TD> |
| </TR> |
| <TR> |
| <TD>Require the Owner of a Job or Subscription</TD> |
| <TD><PRE>Require user @OWNER</PRE></TD> |
| </TR> |
| <TR> |
| <TD>Require an Administrative User</TD> |
| <TD><PRE>Require user @SYSTEM</PRE></TD> |
| </TR> |
| <TR> |
| <TD>Require Member of Group "foogroup"</TD> |
| <TD><PRE>Require user @foogroup</PRE></TD> |
| </TR> |
| <TR> |
| <TD>Require "john" or "mary"</TD> |
| <TD><PRE>Require user john mary</PRE></TD> |
| </TR> |
| <TR> |
| <TD>Require Encryption</TD> |
| <TD><PRE>Encryption Required</PRE></TD> |
| </TR> |
| </TABLE></DIV> |
| |
| |
| <H3>Creating a Policy for a Computer Lab</H3> |
| |
| <P>One common operating scenario is a computer lab. The lab is |
| managed by one or more technicians that assist the users of the |
| lab and handle the basic administration tasks. <A |
| HREF="#LISTING02">Listing 2</A> shows an operation policy that |
| only allows access from the lab's subnet, 10.0.2.x, and allows |
| the lab technicians, who are members of a special UNIX group for |
| that lab called "lab999", to do job, printer, and subscription |
| management operations.</P> |
| |
| <PRE CLASS="command"> |
| <EM>Listing 2: <A NAME="LISTING02">Operation Policy for a Lab</A></EM> |
| |
| 1 <Policy lab999> |
| 2 # Job- and subscription-related operations must be done |
| by the owner, a lab technician, or an administrator... |
| 3 <Limit Send-Document Send-URI Hold-Job Release-Job |
| Restart-Job Purge-Jobs Set-Job-Attributes |
| Create-Job-Subscription Renew-Subscription |
| Cancel-Subscription Get-Notifications Reprocess-Job |
| Cancel-Current-Job Suspend-Current-Job Resume-Job |
| CUPS-Move-Job Cancel-Job CUPS-Authenticate-Job> |
| 4 Require user @OWNER @lab999 @SYSTEM |
| 5 Order allow,deny |
| 6 Allow from 10.0.2.0/24 |
| 7 </Limit> |
| 8 |
| 9 # All administration operations require a lab technician |
| or an administrator to authenticate... |
| 10 <Limit Pause-Printer Resume-Printer |
| Set-Printer-Attributes Enable-Printer Disable-Printer |
| Pause-Printer-After-Current-Job Hold-New-Jobs |
| Release-Held-New-Jobs Deactivate-Printer Activate-Printer |
| Restart-Printer Shutdown-Printer Startup-Printer |
| Promote-Job Schedule-Job-After CUPS-Accept-Jobs |
| CUPS-Reject-Jobs CUPS-Set-Default> |
| 11 AuthType Default |
| 12 Require user @lab999 @SYSTEM |
| 13 Order allow,deny |
| 14 Allow from 10.0.2.0/24 |
| 15 </Limit> |
| 16 |
| 17 # All other operations are allowed from the lab network... |
| 18 <Limit All> |
| 19 Order allow,deny |
| 20 Allow from 10.0.2.0/24 |
| 21 </Limit> |
| 22 </Policy> |
| </PRE> |
| |
| |
| <H2 CLASS="title"><A NAME="SELECT">Using Policies</A></H2> |
| |
| <P>Once you have created a policy, you can use it in two ways. |
| The first way is to assign it as the default policy for the |
| system using the <A |
| HREF="ref-cupsd-conf.html#DefaultPolicy"><TT>DefaultPolicy</TT></A> |
| directive in the <VAR>cupsd.conf</VAR> file. For example, add the |
| following line to the <VAR>cupsd.conf</VAR> file to use the |
| "lab999" policy from the previous section:</P> |
| |
| <PRE CLASS="command"> |
| DefaultPolicy lab999 |
| </PRE> |
| |
| <P>To associate the policy with one or more printers, use either |
| the <A HREF="man-lpadmin.html">lpadmin(8)</A> command or the web |
| interface to change the operation policy for each printer. When |
| using the <B>lpadmin</B> command, the <TT>-o |
| printer-op-policy=name</TT> option sets the operation policy for |
| a printer. For example, enter the following command to use the |
| "lab999" policy from the previous section with a printer named |
| "LaserJet4000":</P> |
| |
| <PRE CLASS="command"> |
| lpadmin -p LaserJet4000 -o printer-op-policy=lab999 |
| </PRE> |
| |
| <P>To make the same change in the web interface, go to the |
| printer's web page, for example |
| "http://localhost:631/printers/LaserJet4000", and click on the |
| <VAR>Set Printer Options</VAR> button. Scroll down to the bottom |
| of the page and choose the desired policy from the pull-down |
| list. Click on <VAR>Set Printer Options</VAR> to change the policy for |
| the printer.</P> |
| |
| </BODY> |
| </HTML> |