Protecting printers with profiles in the PRINTSRV class
You can define profiles in the PRINTSRV class to restrict who can work with printers. Profiles in the PRINTSRV class can apply to both IP PrintWay and PSF printers.
You can define a separate profile to protect each printer, or you can define one profile to protect a group of printers or all printers. For example, if you want to authorize different users to work with printers in different locations, define separate profiles for printers in each location. You can define one profile for all printers in Denver, and another profile for all printers in Houston. If you want to authorize the same group of users to work with all printers, you need to define only one profile.
- IP PrintWay printers: Specify the profile name in the printer's printer definition.
- PSF printers: Specify the profile name in the printer's FSA definition.
To do this action in Infoprint Central | Access to this profile in the PRINTSRV class is required | This minimum access is required |
---|---|---|
Change forms - PSF printers only | Profile that is specified in Printer Inventory | UPDATE |
Change job selection - PSF printers only | Profile that is specified in Printer Inventory | UPDATE |
Find and display printers1 | Profile that is specified in Printer Inventory | READ |
Interrupt - PSF printers only2 | Profile that is specified in Printer Inventory | CONTROL |
Pause - PSF printers only2 | Profile that is specified in Printer Inventory | CONTROL |
Ping and run traceroute | Profile that is specified in Printer Inventory | READ |
Redirect - IP PrintWay printers only5 | Profile that is specified in Printer Inventory | CONTROL |
Repeat - PSF printers only2 | Profile that is specified in Printer Inventory | CONTROL |
Reset1, 2, 4, 5 | Profile that is specified in Printer Inventory | CONTROL |
Restore - IP PrintWay printers only | Profile that is specified in Printer Inventory | CONTROL |
Space - PSF printers only2 | Profile that is specified in Printer Inventory | CONTROL |
Start | Profile that is specified in Printer Inventory | CONTROL |
Stop printer and delete or hold the current print job2 | Profile that is specified in Printer Inventory | CONTROL |
Stop printer after the current print job completes | Profile that is specified in Printer Inventory | CONTROL |
Turn offline1, 2, 4, 5 | Profile that is specified in Printer Inventory | CONTROL |
Turn online1, 2, 4, 5 | Profile that is specified in Printer Inventory | CONTROL |
View log | Profile that is specified in Printer Inventory | READ |
View properties | Profile that is specified in Printer Inventory | READ |
|
Steps for defining profiles in the PRINTSRV class to protect printers
- Define a resource profile to RACF in
the PRINTSRV class.
You can define a profile for each printer, or you can define one profile for a group of printers or all printers.
Guidelines:- Select any name for the profile that RACF allows. However, do not start the name
with
AOP
to avoid conflict with profile names that IBM® uses now or in the future. Profile names can be up to 64 characters. - Give the profile universal READ access if you want all Infoprint Central users to be able to view properties of the printer.
- For information about specifying the NOTIFY and AUDIT parameters on the RDEFINE command, see Requesting RACF notification and auditing.
Example: To define a profile that is named PRINTERS.DENVER for printers in the Denver location, with universal READ access, enter this RACF command:RDEFINE PRINTSRV (PRINTERS.DENVER) UACC(READ)
- Select any name for the profile that RACF allows. However, do not start the name
with
- Give users access to the resource profile. For information about the access that is required to do printer actions in Infoprint Central, see Table 1. To let users do all printer actions, give CONTROL access.Example: To give users CONTROL access to the profile, enter this RACF command:
PERMIT PRINTERS.DENVER CLASS(PRINTSRV) ACCESS(CONTROL) ID(userid or groupid)
- Refresh the PRINTSRV class. Example:
SETROPTS RACLIST(PRINTSRV) REFRESH
- IP PrintWay printers: Specify the name of the profile
in the printer definition for the printer in the Printer Inventory. Important: If more than one printer definition exists for a printer, specify the same profile in all printer definitions. Otherwise, Infoprint Central might not check the profile. To find all printer definitions for a printer, on the Select Printer Definitions ISPF panel, specify the host name or IP address of the printer in the IP address field.Tips:
- If the same profile applies to a group of printers, for example to all printers in a particular location, specify the same profile in the printer definitions for all the printers.
- You can use the Infoprint Server ISPF panels or the Printer Inventory Definition Utility (PIDU) to edit the printer definition. If you want to specify the same operator security profile in many IP PrintWay printer definitions, it is easier to use PIDU as shown in the following example. For information about how to use the ISPF panels and PIDU, see z/OS Infoprint Server Operation and Administration.
- To specify the same operator security profile in a group of IP PrintWay printer definitions, create a Protocol component with the name of the security profile and specify that Protocol component in all the printer definitions. Creating a component makes it easier to change the name of the profile if necessary.
- If the profile you specify is not defined to RACF, Infoprint Central proceeds as if the user has the required access to the profile.
Examples:- This ISPF screen shows how to specify the name of the profile in a printer definition that uses
the LPR protocol.
LPR Protocol Printer definition name . myprinter Operator security profile . . . PRINTERS.DENVER Printer IP address . myprinter.xyzcorp.denver (extend) Print queue name . . PASS (extend) ⋮
- These PIDU commands show how to specify the name of the same RACF profile in all IP PrintWay printer definitions
that do not already contain a profile name.
- Enter these commands as one command on the z/OS®
UNIX command line:
The PIDU list command lists the names of all IP PrintWay printer definitions with no value in the operator-security-profile attribute. These names are piped to the awk program, which writes modify commands to modify the printer definitions to file /tmp/defs.pidu -qc "list printer where printer-type=ip-printway and operator-security-profile=null;" | awk'{print "modify printer " $1 " operator-security-profile = \"PRINTERS.DENVER\";"}' > /tmp/defs
- Inspect the /tmp/defs file to make sure the modify commands are acceptable.
- Enter this command to update the Printer Inventory:
pidu /tmp/defs
- Enter these commands as one command on the z/OS®
UNIX command line:
- PSF printers: Specify the name of the profile in the printer's
FSA definition in the Printer Inventory. Tips:
- If the same profile applies to a group of printers, for example to all printers in a particular location, specify the same profile in the PSF FSA definitions for all the printers.
- You can use the Infoprint Server ISPF panels or the Printer Inventory Definition Utility (PIDU) to edit the FSA definition. If you want to put the same operator security profile in all PSF FSA definitions, it is easier to use PIDU as shown in the example. For information about how to use the ISPF panels and PIDU, see z/OS Infoprint Server Operation and Administration.
- If the profile you specify is not defined to RACF, Infoprint Central proceeds as if the user has the required access to the profile.
Examples:- This ISPF screen shows how to specify the name of the profile in the PSF FSA definition for the
printer.
Add PSF FSA, Channel Command ==> FSA Name. . . PRT00123 Description . ______________________________________________________(extend) Location. . . DENVER (extend) Operator security profile . . . PRINTERS.DENVER Processing Information: ⋮
- These PIDU commands show how to specify the name of the same RACF profile in all PSF FSA definitions
for TCP/IP-attached printers that do not already have a profile.
- Enter these commands as one command on the z/OS UNIX command
line:
The list command lists the names of all PSF FSA definitions for TCP/IP-attached printers with no value in the operator-security-profile attribute. These names are piped to the awk program, which writes modify commands to modify the operator-security-profile attribute.pidu -qc "list fsa where fsa-type=psf-tcpip and operator-security-profile=null;" |awk '{print "modify fsa " $1 " operator-security-profile=\"PRINTERS.DENVER\";"}' > /tmp/defs
- Inspect the /tmp/defs file to make sure the modify commands are acceptable.
- Enter this command to update the Printer Inventory:
pidu < /tmp/defs
- Enter these commands as one command on the z/OS UNIX command
line:
- PSF printers: Make sure that users are authorized to read the Printer Inventory. For information, see Authorizing users to read the Printer Inventory.