<!-- SECTION: Getting Started -->
<HEAD>
<TITLE>Managing Operation Policies</TITLE>
+ <LINK REL="STYLESHEET" TYPE="text/css" HREF="../cups-printable.css">
</HEAD>
<BODY>
+<H1 CLASS="title">Managing Operation Policies</H1>
+
<P>Operation policies are the rules used for each IPP operation
in CUPS. These rules include things like "user must provide a
password", "user must be in the system group", "allow only from
HREF="ref-cupsd-conf.html">restart the cupsd process</A> before
trying to use the new policy.</P>
-<PRE CLASS="command">
+<PRE CLASS="example">
<EM>Listing 1: <A NAME="LISTING01">Default Operation Policy</A></EM>
1 <Policy default>
2 # Job-related operations must be done by the owner or an
- adminstrator...
+ administrator...
3 <Limit Send-Document Send-URI Hold-Job Release-Job
Restart-Job Purge-Jobs Set-Job-Attributes
Create-Job-Subscription Renew-Subscription
5 Order deny,allow
6 </Limit>
7
- 8 # All administration operations require an adminstrator
+ 8 # All administration operations require an administrator
to authenticate...
- 9 <Limit Pause-Printer Resume-Printer
- Set-Printer-Attributes Enable-Printer Disable-Printer
- Pause-Printer-After-Current-Job Hold-New-Jobs
- Release-Held-New-Jobs Deactivate-Printer Activate-Printer
- Restart-Printer Shutdown-Printer Startup-Printer
- Promote-Job Schedule-Job-After CUPS-Add-Printer
- CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class
- CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
-10 AuthType Basic
+ 9 <Limit CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class
+ CUPS-Delete-Class CUPS-Set-Default>
+10 AuthType Default
11 Require user @SYSTEM
12 Order deny,allow
13 </Limit>
14
-15 # Only the owner or an administrator can cancel or
+15 # All printer operations require a printer operator
+ to authenticate...
+16 <Limit Pause-Printer Resume-Printer
+ Set-Printer-Attributes Enable-Printer Disable-Printer
+ Pause-Printer-After-Current-Job Hold-New-Jobs
+ Release-Held-New-Jobs Deactivate-Printer Activate-Printer
+ Restart-Printer Shutdown-Printer Startup-Printer
+ Promote-Job Schedule-Job-After CUPS-Accept-Jobs
+ CUPS-Reject-Jobs>
+17 AuthType Default
+18 Require user <em>varies by OS</em>
+19 Order deny,allow
+20 </Limit>
+21
+22 # Only the owner or an administrator can cancel or
authenticate a job...
-16 <Limit Cancel-Job CUPS-Authenticate-Job>
-17 Require user @OWNER @SYSTEM
-18 Order deny,allow
-19 </Limit>
-20
-21 <Limit All>
-22 Order deny,allow
-23 </Limit>
-24 </Policy>
+23 <Limit Cancel-Job CUPS-Authenticate-Job>
+24 Require user @OWNER @SYSTEM
+25 Order deny,allow
+26 </Limit>
+27
+28 <Limit All>
+29 Order deny,allow
+30 </Limit>
+31 </Policy>
</PRE>
<H3>The Default CUPS Operation Policy</H3>
<P>The policy definition starts with an opening <TT>Policy</TT>
directive:</P>
-<PRE CLASS="command">
+<PRE CLASS="example">
1 <Policy default>
</PRE>
<P>The first <TT>Limit</TT> subsection defines the rules for IPP
job operations:</P>
-<PRE CLASS="command">
+<PRE CLASS="example">
3 <Limit Send-Document Send-URI Hold-Job Release-Job
Restart-Job Purge-Jobs Set-Job-Attributes
Create-Job-Subscription Renew-Subscription
however, <em>do</em> use the <TT>AuthType</TT> directive, and so
administrative operations need to be authenticated:</P>
-<PRE CLASS="command">
- 9 <Limit Pause-Printer Resume-Printer
+<PRE CLASS="example">
+ 9 <Limit CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class
+ CUPS-Delete-Class CUPS-Set-Default>
+10 AuthType Default
+11 Require user @SYSTEM
+12 Order deny,allow
+13 </Limit>
+14
+15 # All printer operations require a printer operator
+ to authenticate...
+16 <Limit Pause-Printer Resume-Printer
Set-Printer-Attributes Enable-Printer Disable-Printer
Pause-Printer-After-Current-Job Hold-New-Jobs
Release-Held-New-Jobs Deactivate-Printer Activate-Printer
Restart-Printer Shutdown-Printer Startup-Printer
- Promote-Job Schedule-Job-After CUPS-Add-Printer
- CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class
- CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
-10 AuthType Basic
-11 Require user @SYSTEM
-12 Order deny,allow
-13 </Limit>
+ Promote-Job Schedule-Job-After CUPS-Accept-Jobs
+ CUPS-Reject-Jobs>
+17 AuthType Default
+18 Require user <em>varies by OS</em>
+19 Order deny,allow
+20 </Limit>
</PRE>
<P>The "Order deny,allow" line at the end of both <TT>Limit</TT>
the rest of the job operations, we want the job's owner
("@OWNER") or an administrator ("@SYSTEM") to do it:</P>
-<PRE CLASS="command">
+<PRE CLASS="example">
16 <Limit Cancel-Job CUPS-Authenticate-Job>
17 Require user @OWNER @SYSTEM
18 Order deny,allow
the policy. In this case, all other operations are allowed
without a username or authentication:</P>
-<PRE CLASS="command">
+<PRE CLASS="example">
21 <Limit All>
22 Order deny,allow
23 </Limit>
can use the same characters as a printer name, specifically all
printable characters except space, slash (/), and pound (#):</P>
-<PRE CLASS="command">
+<PRE CLASS="example">
<Policy mypolicy>
</PRE>
other users' jobs, you can change the <TT>Cancel-Job</TT> limits
to:</P>
-<PRE CLASS="command">
+<PRE CLASS="example">
<Limit Cancel-Job>
Order deny,allow
</Limit>
that lab called "lab999", to do job, printer, and subscription
management operations.</P>
-<PRE CLASS="command">
+<PRE CLASS="example">
<EM>Listing 2: <A NAME="LISTING02">Operation Policy for a Lab</A></EM>
1 <Policy lab999>
2 # Job- and subscription-related operations must be done
- by the owner, a lab technician, or an adminstrator...
+ by the owner, a lab technician, or an administrator...
3 <Limit Send-Document Send-URI Hold-Job Release-Job
Restart-Job Purge-Jobs Set-Job-Attributes
Create-Job-Subscription Renew-Subscription
7 </Limit>
8
9 # All administration operations require a lab technician
- or an adminstrator to authenticate...
+ or an administrator to authenticate...
10 <Limit Pause-Printer Resume-Printer
Set-Printer-Attributes Enable-Printer Disable-Printer
Pause-Printer-After-Current-Job Hold-New-Jobs
Restart-Printer Shutdown-Printer Startup-Printer
Promote-Job Schedule-Job-After CUPS-Accept-Jobs
CUPS-Reject-Jobs CUPS-Set-Default>
-11 AuthType Basic
+11 AuthType Default
12 Require user @lab999 @SYSTEM
13 Order allow,deny
14 Allow from 10.0.2.0/24
following line to the <VAR>cupsd.conf</VAR> file to use the
"lab999" policy from the previous section:</P>
-<PRE CLASS="command">
+<PRE CLASS="example">
DefaultPolicy lab999
</PRE>
"http://localhost:631/printers/LaserJet4000", and click on the
<VAR>Set Printer Options</VAR> button. Scroll down to the bottom
of the page and choose the desired policy from the pull-down
-list. Click on <VAR>Save Changes</VAR> to change the policy for
+list. Click on <VAR>Set Printer Options</VAR> to change the policy for
the printer.</P>
</BODY>