Chapter 7 - Controlling Access to Network Printers
To control access to network printers, you control access to the VINES print services. Because you can assign multiple printers to a print service and multiple print services to a network printer, you may need to restrict access to more than one print service for a given network printer.
This chapter explains the three levels of access control and how to set up the access lists. In addition, this chapter explains how to control the use of PCPRINT. For complete details on VINES print services and on PCPRINT, see the appropriate chapters in Managing VINES Services.
The VINES print service provides three levels of access control: administrators, operators, and users. Each level has its own list:
Administrators - AdminList of the group in which the print service is created and AdminList of the server on which the print service resides.
Operators - Operator Access List configured for the print service.
Users - User Access List configured for the print service.
The Operator and User Access Lists can contain up to five entries, either StreetTalk names of individuals or StreetTalk lists. If five entries is not sufficient for your needs, create a StreetTalk list for the print service operators or users. Be careful not to have lists within that list. Nested lists can slow performance.
As in ARLs, you can use templates or patterns in a limited way. Use only those templates that have leading asterisks. For example, *@Mkt@WCTUS and *@*@WCTUS are acceptable entries in the Operator and User Access Lists. Do not use patterns such as Bob*@Mkt@WCTUS and Bill Jones@*@WCTUS.
At each level, privileges are granted as the following sections describe.
Administrators on the AdminList of the service's group and on the AdminList of the server on which the print service resides can create, modify, and delete print services. They can start and stop the print queues, assign physical print devices, configure filters, and perform all operator and user tasks.
Operators of a print service can cancel, hold, reprint, or reschedule any job in the print queue. They can change the paper format of any job or move any job from one queue to another. Operators can also change the status of the print queue, start and stop the service, change the paper format of a destination, and perform any user tasks.
Users of a print service can control only their own print jobs through the Control Print Jobs menu in the SETPRINT program. The tasks they can perform in SETPRINT include: view detailed information about the status of their job; put their own jobs on hold and take them off hold; cancel, reprint, and reschedule their jobs; change the paper format of their jobs; and move their jobs to the bottom of the queue or to a different queue.
When you configure alternate print service destinations, you must coordinate the access lists of the two print services.
For example, the print service BackupLaser@Prt@WCTUS is configured as an alternate print service destination in print service Presses@Prt@WCTUS. To enable the users of Presses@Prt@WCTUS to send jobs to BackupLaser@Prt@WCTUS, you must enter the StreetTalk name Presses@Prt@WCTUS on the user access list of BackupLaser@Prt@WCTUS.
For each print service, the Operator and User Access Lists each have a default entry. You can keep or delete the default, and/or add other StreetTalk names. The default entry for the Operator Access List is the AdminList of the group to which the service belongs. For example, if the service's group name is Com@WCTUS, then the default entry in the Operator Access List is "AdminList@Com@WCTUS." The default entry for the User Access List is *@*@* (any user who can log in to the VINES network and any other print service).
Macintosh
Note that all Macintosh users can access a VINES print service that is visible in the zones available to them. The User Access List does not restrict their ability to see and use it. See the VINES User's Guide for Macintosh for information on how to access VINES print services from a Macintosh workstation.
Users on the AdminList of the service's group and on the AdminList of the server on which the print service resides are administrators of the service automatically. No separate list exists for them in the Configure Service menu. To edit the AdminList, use the MLIST program. See Managing Users and StreetTalk for instructions on using the MLIST program.
The most secure way to restrict administrator access to printers is to restrict the AdminList of the server and to create a special group for one or more print services. On the AdminList of that group, add the StreetTalk names of only those people who are designated as administrators of network print services and printers.
If you have not already created print services, refer to Managing VINES Services for complete instructions on how to create print services, which include creating access lists.
If you have already created print services and want to restrict access, follow the instructions below:
1. Using either the MSERVICE or OPERATE program, display the Control a Service menu for the print service.
2. Select Configure Service.
3. When the Configure Service menu appears, select Edit Access Lists.
4. At the Access Lists screen, the cursor is under the first letter in the OPERATORS list. You have a choice:
- To delete the default entry, press CTRL+X.
- To keep the default entry and move to the first blank field, press the DOWN arrow key.
5. In the blank field, enter a StreetTalk name, using the editing keys described in Table 7-1. Note that the screen is in overstrike mode.
6. Press ENTER to move to the next blank field.
7. Repeat steps 5 and 6 until you have entered all the names you require in the OPERATORS list.
8. When you have completed the OPERATORS list, move the cursor to the USERS list by pressing the DOWN arrow key, or ENTER.
9. As in the OPERATORS list, you have a choice:
- To delete the default entry, press CTRL+X.
- To keep the default entry and move to the first blank field, pres the DOWN arrow key.
10. Repeat steps 5 and 6 until you have entered all the names you require in the USERS list.
11. To save your changes and exit to the Access Lists screen, press F10.
You cannot leave the lists blank. If you try to leave a list blank - either by typing CTRL+X or all spaces in all the fields - the system presents the following error message:
List is blank. Reinstating default...
The Access Lists screen remains displayed, showing the default entry in the list. You can edit the list again or press F10 to use the default and exit to the Manage Print Service screen.
Note: If you replace a default entry with a different entry, the system uses the new entry for allowing or denying access to the print service. The system reinstates a default entry only when you leave the list completely blank.
The PCPRINT option lets network users send print jobs to a network printer that is attached to a remote DOS workstation. You must have purchased the PCPRINT option to take advantage of this capability. See Managing VINES Services for details on this option.
To set up a network printer that is attached to a DOS workstation, you must configure the printer as a PCPrint destination of a print service. Because this printer is controlled by a VINES print service, you can control access to it through the service's access lists and the AdminList of the service's group as described in the preceding section.
In addition, during configuration of the PCPrint destination, you must identify the StreetTalk name of the user who can invoke the PCPRINT option. If you do not specify a name or the wildcard entry (*@*@*), PCPRINT cannot run.
The Destination Attributes screen for a PCPrint destination has a field, called "PCPRINT ST Name," where you enter the StreetTalk name of the user who can invoke PCPRINT at the remote DOS workstation.
Depending on your security and printing needs, you may want to create a special StreetTalk name for this user and make the name and password known to the those responsible for maintaining the remote printer. Enter your special user name in the PCPRINT ST Name field of the Destination Attributes screen of the PCPrint destination.
You can enter StreetTalk list names in this field. To allow all users to invoke PCPRINT at the remote DOS workstation, enter *@*@* in this field.
