--- /dev/null
+<HTML>
+<!-- SECTION: Getting Started -->
+<HEAD>
+ <TITLE>Managing Operation Policies</TITLE>
+</HEAD>
+<BODY>
+
+<P>Operation policies are the rules used for each IPP operation
+in CUPS. These rules include things like "user must provide a
+password", "user must be in the system group", "allow only from
+the local system", and so forth. Until CUPS 1.2, these rules were
+largely hardcoded and could only be customized at a very basic
+level.</P>
+
+<P>CUPS 1.2 adds a new fine-grained policy layer which allows you
+to completely redefine the rules for each operation and/or
+printer. Each policy is named and defines access control rules
+for each IPP operation. This document describes how to manage
+policies and their rules.</P>
+
+<H2 CLASS="title"><A NAME="BASICS">The Basics</A></H2>
+
+<P>Operation policies are used for all IPP requests sent to the
+scheduler and are evaluated <em>after</em> the <A
+HREF="ref-cupsd-conf.html#Location"><TT>Location</TT></A> based
+access control rules. This means that operation policies can only
+add additional security restrictions to a request, never relax
+them. Use <TT>Location</TT> based access control rules for
+server-wide limits and operation policies for limits on
+individual printers, tasks, or services.</P>
+
+<P>Policies are stored in the <VAR>cupsd.conf</VAR> file in <A
+HREF="ref-cupsd-conf.html#Policy"><TT>Policy</TT></A> sections.
+Each policy has an alphanumeric name that is used to select it.
+Inside the policy section are one or more <A
+HREF="ref-cupsd-conf.html#LimitIPP"><TT>Limit</TT></A>
+subsections which list the operations that are affected by the
+rules inside it. <A HREF="#LISTING01">Listing 1</A> shows the
+default operation policy, appropriately called "default", that is
+shipped with CUPS.</P>
+
+<P>The easiest way to add a policy to the <VAR>cupsd.conf</VAR>
+file is to use the web interface. Click on the
+<VAR>Administration</VAR> tab and then the <VAR>Edit
+Configuration File</VAR> button to edit the current
+<VAR>cupsd.conf</VAR> file. Click on the <VAR>Save Changes</VAR>
+button to save the changes and restart the scheduler. If you edit
+the <VAR>cupsd.conf</VAR> file from the console, make sure to <A
+HREF="ref-cupsd-conf.html">restart the cupsd process</A> before
+trying to use the new policy.</P>
+
+<PRE CLASS="command">
+<EM>Listing 1: <A NAME="LISTING01">Default Operation Policy</A></EM>
+
+ 1 <Policy default>
+ 2 # Job-related operations must be done by the owner or an
+ adminstrator...
+ 3 <Limit Send-Document Send-URI Hold-Job Release-Job
+ Restart-Job Purge-Jobs Set-Job-Attributes
+ Create-Job-Subscription Renew-Subscription
+ Cancel-Subscription Get-Notifications Reprocess-Job
+ Cancel-Current-Job Suspend-Current-Job Resume-Job
+ CUPS-Move-Job>
+ 4 Require user @OWNER @SYSTEM
+ 5 Order deny,allow
+ 6 </Limit>
+ 7
+ 8 # All administration operations require an adminstrator
+ to authenticate...
+ 9 <Limit Pause-Printer Resume-Printer
+ Set-Printer-Attributes Enable-Printer Disable-Printer
+ Pause-Printer-After-Current-Job Hold-New-Jobs
+ Release-Held-New-Jobs Deactivate-Printer Activate-Printer
+ Restart-Printer Shutdown-Printer Startup-Printer
+ Promote-Job Schedule-Job-After CUPS-Add-Printer
+ CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class
+ CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
+10 AuthType Basic
+11 Require user @SYSTEM
+12 Order deny,allow
+13 </Limit>
+14
+15 # Only the owner or an administrator can cancel or
+ authenticate a job...
+16 <Limit Cancel-Job CUPS-Authenticate-Job>
+17 Require user @OWNER @SYSTEM
+18 Order deny,allow
+19 </Limit>
+20
+21 <Limit All>
+22 Order deny,allow
+23 </Limit>
+24 </Policy>
+</PRE>
+
+<H3>The Default CUPS Operation Policy</H3>
+
+<P>The policy definition starts with an opening <TT>Policy</TT>
+directive:</P>
+
+<PRE CLASS="command">
+ 1 <Policy default>
+</PRE>
+
+<P>The first <TT>Limit</TT> subsection defines the rules for IPP
+job operations:</P>
+
+<PRE CLASS="command">
+ 3 <Limit Send-Document Send-URI Hold-Job Release-Job
+ Restart-Job Purge-Jobs Set-Job-Attributes
+ Create-Job-Subscription Renew-Subscription
+ Cancel-Subscription Get-Notifications Reprocess-Job
+ Cancel-Current-Job Suspend-Current-Job Resume-Job
+ CUPS-Move-Job>
+ 4 Require user @OWNER @SYSTEM
+ 5 Order deny,allow
+ 6 </Limit>
+</PRE>
+
+<P>The operation names are listed on a single line
+with spaces separating them. Each name corresponds to the IPP
+operation described in any of the IETF or PWG standards documents
+for the Internet Printing Protocol. <A HREF="#TABLE01">Table
+1</A> lists all of the operations that have been defined along
+with their usage in CUPS.</P>
+
+<P>The access control rules are listed after the <TT>Limit</TT>
+line and are the same as those used for <A
+HREF="ref-cupsd-conf.html#Location"><TT>Location</TT></A>
+sections. In this case, we require the owner of the job
+("@OWNER") or a member of the <A
+HREF="ref-cupsd-conf.html#SystemGroup"><TT>SystemGroup</TT></A>
+("@SYSTEM") to do the operation. Because we do not include an <A
+HREF="ref-cupsd-conf.html#AuthType"><TT>AuthType</TT></A>
+directive here, the user information can come from the IPP
+request itself or the authenticated username from the HTTP
+request. The administrative operations starting on line 9,
+however, <em>do</em> use the <TT>AuthType</TT> directive, and so
+administrative operations need to be authenticated:</P>
+
+<PRE CLASS="command">
+ 9 <Limit Pause-Printer Resume-Printer
+ Set-Printer-Attributes Enable-Printer Disable-Printer
+ Pause-Printer-After-Current-Job Hold-New-Jobs
+ Release-Held-New-Jobs Deactivate-Printer Activate-Printer
+ Restart-Printer Shutdown-Printer Startup-Printer
+ Promote-Job Schedule-Job-After CUPS-Add-Printer
+ CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class
+ CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
+10 AuthType Basic
+11 Require user @SYSTEM
+12 Order deny,allow
+13 </Limit>
+</PRE>
+
+<P>The "Order deny,allow" line at the end of both <TT>Limit</TT>
+subsections allows the request to come from any system allowed by
+the <TT>Location</TT> sections elsewhere in the
+<VAR>cupsd.conf</VAR> file.</P>
+
+<P>The <TT>Cancel-Job</TT> and <TT>CUPS-Authenticate-Job</TT>
+operations are listed separately to allow the web interface to
+more easily edit their policy without disturbing the rest. Like
+the rest of the job operations, we want the job's owner
+("@OWNER") or an administrator ("@SYSTEM") to do it:</P>
+
+<PRE CLASS="command">
+16 <Limit Cancel-Job CUPS-Authenticate-Job>
+17 Require user @OWNER @SYSTEM
+18 Order deny,allow
+19 </Limit>
+</PRE>
+
+<P>The last <TT>Limit</TT> subsection in any policy uses the
+special operation name <TT>All</TT>. CUPS will use the rules in
+this subsection for any operation you don't list specifically in
+the policy. In this case, all other operations are allowed
+without a username or authentication:</P>
+
+<PRE CLASS="command">
+21 <Limit All>
+22 Order deny,allow
+23 </Limit>
+24 </Policy>
+</PRE>
+
+
+<DIV CLASS="table"><TABLE WIDTH="80%" SUMMARY="IPP Operation Names">
+<CAPTION>Table 1: <A NAME="TABLE01">IPP Operation Names</A></CAPTION>
+<THEAD>
+<TR>
+ <TH>Name</TH>
+ <TH>Used by CUPS?</TH>
+ <TH>Description</TH>
+</TR>
+</THEAD>
+<TBODY>
+<TR>
+ <TD NOWRAP><TT>Print-Job</TT></TD>
+ <TD>Yes</TD>
+ <TD>Creates a print job with a single file.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Print-URI</TT></TD>
+ <TD>No</TD>
+ <TD>Create a print job with a single URI.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Validate-Job</TT></TD>
+ <TD>Yes</TD>
+ <TD>Validates a print request before printing.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Create-Job</TT></TD>
+ <TD>Yes</TD>
+ <TD>Creates a print job with no files or URIs.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Send-Document</TT></TD>
+ <TD>Yes</TD>
+ <TD>Adds a file to a print job.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Send-URI</TT></TD>
+ <TD>No</TD>
+ <TD>Adds a URI to a print job.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Cancel-Job</TT></TD>
+ <TD>Yes</TD>
+ <TD>Cancels a print job.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Get-Job-Attributes</TT></TD>
+ <TD>Yes</TD>
+ <TD>Gets information and options associated with a job.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Get-Jobs</TT></TD>
+ <TD>Yes</TD>
+ <TD>Gets a list of jobs.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Get-Printer-Attributes</TT></TD>
+ <TD>Yes</TD>
+ <TD>Gets information and options associated with a printer or class.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Hold-Job</TT></TD>
+ <TD>Yes</TD>
+ <TD>Holds a print job for printing.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Release-Job</TT></TD>
+ <TD>Yes</TD>
+ <TD>Releases a print job for printing.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Restart-Job</TT></TD>
+ <TD>Yes</TD>
+ <TD>Reprints a print job.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Pause-Printer</TT></TD>
+ <TD>Yes</TD>
+ <TD>Stops a printer or class.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Resume-Printer</TT></TD>
+ <TD>Yes</TD>
+ <TD>Starts a printer or class.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Purge-Jobs</TT></TD>
+ <TD>Yes</TD>
+ <TD>Cancels all jobs on the server or a printer or class
+ and removes the job history information.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Set-Printer-Attributes</TT></TD>
+ <TD>No</TD>
+ <TD>Sets printer or class information; CUPS uses
+ CUPS-Add-Modify-Printer and CUPS-Add-Modify-Class
+ instead.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Set-Job-Attributes</TT></TD>
+ <TD>Yes</TD>
+ <TD>Changes job options.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Get-Printer-Supported-Values</TT></TD>
+ <TD>No</TD>
+ <TD>Gets -supported attributes for a printer based on job
+ options.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Create-Printer-Subscription</TT></TD>
+ <TD>Yes</TD>
+ <TD>Creates an event subscription for a printer or the server.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Create-Job-Subscription</TT></TD>
+ <TD>Yes</TD>
+ <TD>Creates an event subscription for a job.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Get-Subscription-Attributes</TT></TD>
+ <TD>Yes</TD>
+ <TD>Gets information for an event subscription.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Get-Subscriptions</TT></TD>
+ <TD>Yes</TD>
+ <TD>Gets a list of event subscriptions.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Renew-Subscription</TT></TD>
+ <TD>Yes</TD>
+ <TD>Renews an event subscription that is about to expire.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Cancel-Subscription</TT></TD>
+ <TD>Yes</TD>
+ <TD>Cancels an event subscription.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Get-Notifications</TT></TD>
+ <TD>Yes</TD>
+ <TD>Gets (pending) events for an event subscription.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Send-Notifications</TT></TD>
+ <TD>No</TD>
+ <TD>Sends events for an event subscription.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Get-Printer-Support-Files</TT></TD>
+ <TD>No</TD>
+ <TD>Gets printer driver files for a Novell client.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Enable-Printer</TT></TD>
+ <TD>Yes</TD>
+ <TD>Starts a printer or class.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Disable-Printer</TT></TD>
+ <TD>Yes</TD>
+ <TD>Stops a printer or class.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Pause-Printer-After-Current-Job</TT></TD>
+ <TD>No</TD>
+ <TD>Stops a printer or class after the current job is finished.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Hold-New-Jobs</TT></TD>
+ <TD>No</TD>
+ <TD>Holds new jobs submitted to a printer or class.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Release-Held-New-Jobs</TT></TD>
+ <TD>No</TD>
+ <TD>Releases jobs that were held because of the
+ Hold-New-Jobs operation.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Deactivate-Printer</TT></TD>
+ <TD>No</TD>
+ <TD>Deactivates a printer or class.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Activate-Printer</TT></TD>
+ <TD>No</TD>
+ <TD>Activates a printer or class.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Restart-Printer</TT></TD>
+ <TD>No</TD>
+ <TD>Restarts a printer or class, resuming print jobs as needed.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Shutdown-Printer</TT></TD>
+ <TD>No</TD>
+ <TD>Powers a printer or class off.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Startup-Printer</TT></TD>
+ <TD>No</TD>
+ <TD>Powers a printer or class on.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Reprocess-Job</TT></TD>
+ <TD>No</TD>
+ <TD>Reprints a job on a different printer or class; CUPS has the
+ CUPS-Move-Job operation instead.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Cancel-Current-Job</TT></TD>
+ <TD>No</TD>
+ <TD>Cancels the current job on a printer or class.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Suspend-Current-Job</TT></TD>
+ <TD>No</TD>
+ <TD>Stops the current job on a printer or class.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Resume-Job</TT></TD>
+ <TD>No</TD>
+ <TD>Resumes printing of a stopped job.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Promote-Job</TT></TD>
+ <TD>No</TD>
+ <TD>Prints a job before others.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>Schedule-Job-After</TT></TD>
+ <TD>No</TD>
+ <TD>Prints a job after others.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>CUPS-Get-Default</TT></TD>
+ <TD>Yes</TD>
+ <TD>Gets the server/network default printer or class.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>CUPS-Get-Printers</TT></TD>
+ <TD>Yes</TD>
+ <TD>Gets a list of printers and/or classes.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>CUPS-Add-Modify-Printer</TT></TD>
+ <TD>Yes</TD>
+ <TD>Adds or modifies a printer.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>CUPS-Delete-Printer</TT></TD>
+ <TD>Yes</TD>
+ <TD>Removes a printer.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>CUPS-Get-Classes</TT></TD>
+ <TD>Yes</TD>
+ <TD>Gets a list of classes.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>CUPS-Add-Modify-Class</TT></TD>
+ <TD>Yes</TD>
+ <TD>Adds or modifies a class.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>CUPS-Delete-Class</TT></TD>
+ <TD>Yes</TD>
+ <TD>Removes a class.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>CUPS-Accept-Jobs</TT></TD>
+ <TD>Yes</TD>
+ <TD>Sets a printer's or class' printer-is-accepting-jobs
+ attribute to true.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>CUPS-Reject-Jobs</TT></TD>
+ <TD>Yes</TD>
+ <TD>Sets a printer's or class' printer-is-accepting-jobs
+ attribute to false.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>CUPS-Set-Default</TT></TD>
+ <TD>Yes</TD>
+ <TD>Sets the server/network default printer or class.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>CUPS-Get-Devices</TT></TD>
+ <TD>Yes</TD>
+ <TD>Gets a list of printer devices.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>CUPS-Get-PPDs</TT></TD>
+ <TD>Yes</TD>
+ <TD>Gets a list of printer drivers or manufacturers.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>CUPS-Move-Job</TT></TD>
+ <TD>Yes</TD>
+ <TD>Moves a job to a different printer or class.</TD>
+</TR>
+<TR>
+ <TD NOWRAP><TT>CUPS-Authenticate-Job</TT></TD>
+ <TD>Yes</TD>
+ <TD>Authenticates a job for printing.</TD>
+</TR>
+</TBODY>
+</TABLE></DIV>
+
+
+<H2 CLASS="title"><A NAME="CREATING">Creating Your Own Policies</A></H2>
+
+<P>The easiest way to create a new policy is to start with the
+default policy and then make changes to the copy. The first
+change you'll make is to give the policy a new name. Policy names
+can use the same characters as a printer name, specifically all
+printable characters except space, slash (/), and pound (#):</P>
+
+<PRE CLASS="command">
+<Policy mypolicy>
+</PRE>
+
+<P>Then you need to decide exactly what limits you want for the
+policy. For example, if you want to allow any user to cancel any
+other users' jobs, you can change the <TT>Cancel-Job</TT> limits
+to:</P>
+
+<PRE CLASS="command">
+<Limit Cancel-Job>
+ Order deny,allow
+</Limit>
+</PRE>
+
+<P>The directives inside the <TT>Limit</TT> subsection can use
+any of the normal limiting directives: <A
+HREF="ref-cupsd-conf.html#Allow"><TT>Allow</TT></A>, <A
+HREF="ref-cupsd-conf.html#AuthType"><TT>AuthType</TT></A>, <A
+HREF="ref-cupsd-conf.html#Deny"><TT>Deny</TT></A>, <A
+HREF="ref-cupsd-conf.html#Encryption"><TT>Encryption</TT></A>, <A
+HREF="ref-cupsd-conf.html#Require"><TT>Require</TT></A>, and <A
+HREF="ref-cupsd-conf.html#Satisfy"><TT>Satisfy</TT></A>. <A
+HREF="#TABLE02">Table 2</A> lists some basic "recipes" for
+different access control rules.</P>
+
+<DIV CLASS="table"><TABLE WIDTH="80%" SUMMARY="Access Control Recipes">
+<CAPTION>Table 2: <A NAME="TABLE02">Access Control Recipes</A></CAPTION>
+<THEAD>
+<TR>
+ <TH>Access Level</TH>
+ <TH>Directives to Use</TH>
+</TR>
+</THEAD>
+<TBODY>
+<TR>
+ <TD>Allow Everyone</TD>
+ <TD><PRE>Order deny,allow
+Allow from all</PRE></TD>
+</TR>
+<TR>
+ <TD>Allow Everyone on the Local Network</TD>
+ <TD><PRE>Order deny,allow
+Allow from @LOCAL</PRE></TD>
+</TR>
+<TR>
+ <TD>Deny Everyone/Disable Operation(s)</TD>
+ <TD><PRE>Order allow,deny
+Deny from all</PRE></TD>
+</TR>
+<TR>
+ <TD>Require Login (System) Password</TD>
+ <TD><PRE>AuthType Basic</PRE></TD>
+</TR>
+<TR>
+ <TD>Require CUPS (lppasswd) Password</TD>
+ <TD><PRE>AuthType BasicDigest</PRE></TD>
+</TR>
+<TR>
+ <TD>Require the Owner of a Job or Subscription</TD>
+ <TD><PRE>Require user @OWNER</PRE></TD>
+</TR>
+<TR>
+ <TD>Require an Administrative User</TD>
+ <TD><PRE>Require user @SYSTEM</PRE></TD>
+</TR>
+<TR>
+ <TD>Require Member of Group "foogroup"</TD>
+ <TD><PRE>Require user @foogroup</PRE></TD>
+</TR>
+<TR>
+ <TD>Require "john" or "mary"</TD>
+ <TD><PRE>Require user john mary</PRE></TD>
+</TR>
+<TR>
+ <TD>Require Encryption</TD>
+ <TD><PRE>Encryption Required</PRE></TD>
+</TR>
+</TABLE></DIV>
+
+
+<H3>Creating a Policy for a Computer Lab</H3>
+
+<P>One common operating scenario is a computer lab. The lab is
+managed by one or more technicians that assist the users of the
+lab and handle the basic administration tasks. <A
+HREF="#LISTING02">Listing 2</A> shows an operation policy that
+only allows access from the lab's subnet, 10.0.2.x, and allows
+the lab technicians, who are members of a special UNIX group for
+that lab called "lab999", to do job, printer, and subscription
+management operations.</P>
+
+<PRE CLASS="command">
+<EM>Listing 2: <A NAME="LISTING02">Operation Policy for a Lab</A></EM>
+
+ 1 <Policy lab999>
+ 2 # Job- and subscription-related operations must be done
+ by the owner, a lab technician, or an adminstrator...
+ 3 <Limit Send-Document Send-URI Hold-Job Release-Job
+ Restart-Job Purge-Jobs Set-Job-Attributes
+ Create-Job-Subscription Renew-Subscription
+ Cancel-Subscription Get-Notifications Reprocess-Job
+ Cancel-Current-Job Suspend-Current-Job Resume-Job
+ CUPS-Move-Job Cancel-Job CUPS-Authenticate-Job>
+ 4 Require user @OWNER @lab999 @SYSTEM
+ 5 Order allow,deny
+ 6 Allow from 10.0.2.0/24
+ 7 </Limit>
+ 8
+ 9 # All administration operations require a lab technician
+ or an adminstrator to authenticate...
+10 <Limit Pause-Printer Resume-Printer
+ Set-Printer-Attributes Enable-Printer Disable-Printer
+ Pause-Printer-After-Current-Job Hold-New-Jobs
+ Release-Held-New-Jobs Deactivate-Printer Activate-Printer
+ Restart-Printer Shutdown-Printer Startup-Printer
+ Promote-Job Schedule-Job-After CUPS-Accept-Jobs
+ CUPS-Reject-Jobs CUPS-Set-Default>
+11 AuthType Basic
+12 Require user @lab999 @SYSTEM
+13 Order allow,deny
+14 Allow from 10.0.2.0/24
+15 </Limit>
+16
+17 # All other operations are allowed from the lab network...
+18 <Limit All>
+19 Order allow,deny
+20 Allow from 10.0.2.0/24
+21 </Limit>
+22 </Policy>
+</PRE>
+
+
+<H2 CLASS="title"><A NAME="SELECT">Using Policies</A></H2>
+
+<P>Once you have created a policy, you can use it in two ways.
+The first way is to assign it as the default policy for the
+system using the <A
+HREF="ref-cupsd-conf.html#DefaultPolicy"><TT>DefaultPolicy</TT></A>
+directive in the <VAR>cupsd.conf</VAR> file. For example, add the
+following line to the <VAR>cupsd.conf</VAR> file to use the
+"lab999" policy from the previous section:</P>
+
+<PRE CLASS="command">
+DefaultPolicy lab999
+</PRE>
+
+<P>To associate the policy with one or more printers, use either
+the <A HREF="man-lpadmin.html">lpadmin(8)</A> command or the web
+interface to change the operation policy for each printer. When
+using the <B>lpadmin</B> command, the <TT>-o
+printer-op-policy=name</TT> option sets the operation policy for
+a printer. For example, enter the following command to use the
+"lab999" policy from the previous section with a printer named
+"LaserJet4000":</P>
+
+<PRE CLASS="command">
+lpadmin -p LaserJet4000 -o printer-op-policy=lab999
+</PRE>
+
+<P>To make the same change in the web interface, go to the
+printer's web page, for example
+"http://localhost:631/printers/LaserJet4000", and click on the
+<VAR>Set Printer Options</VAR> button. Scroll down to the bottom
+of the page and choose the desired policy from the pull-down
+list. Click on <VAR>Save Changes</VAR> to change the policy for
+the printer.</P>
+
+</BODY>
+</HTML>