Protecting printers with profiles in the PRINTSRV class

You can define profiles in the PRINTSRV class to restrict who can work with printers. Profiles in the PRINTSRV class can apply to both IP PrintWay and PSF printers.

You can define a separate profile to protect each printer, or you can define one profile to protect a group of printers or all printers. For example, if you want to authorize different users to work with printers in different locations, define separate profiles for printers in each location. You can define one profile for all printers in Denver, and another profile for all printers in Houston. If you want to authorize the same group of users to work with all printers, you need to define only one profile.

You specify the name of the profile that applies to each printer in the Printer Inventory:

IP PrintWay printers: Specify the profile name in the printer's printer definition.
PSF printers: Specify the profile name in the printer's FSA definition.

Table 1 lists the printer actions users can do in Infoprint Central and the minimum access that is required to the printer's profile in the PRINTSRV class.

Table 1. Infoprint Central printer actions and the minimum access required to profiles in the PRINTSRV class
To do this action in Infoprint Central	Access to this profile in the PRINTSRV class is required	This minimum access is required
Change forms - PSF printers only	Profile that is specified in Printer Inventory	UPDATE
Change job selection - PSF printers only	Profile that is specified in Printer Inventory	UPDATE
Find and display printers¹	Profile that is specified in Printer Inventory	READ
Interrupt - PSF printers only²	Profile that is specified in Printer Inventory	CONTROL
Pause - PSF printers only²	Profile that is specified in Printer Inventory	CONTROL
Ping and run traceroute	Profile that is specified in Printer Inventory	READ
Redirect - IP PrintWay printers only⁵	Profile that is specified in Printer Inventory	CONTROL
Repeat - PSF printers only²	Profile that is specified in Printer Inventory	CONTROL
Reset¹, ², ⁴, ⁵	Profile that is specified in Printer Inventory	CONTROL
Restore - IP PrintWay printers only	Profile that is specified in Printer Inventory	CONTROL
Space - PSF printers only²	Profile that is specified in Printer Inventory	CONTROL
Start	Profile that is specified in Printer Inventory	CONTROL
Stop printer and delete or hold the current print job²	Profile that is specified in Printer Inventory	CONTROL
Stop printer after the current print job completes	Profile that is specified in Printer Inventory	CONTROL
Turn offline¹, ², ⁴, ⁵	Profile that is specified in Printer Inventory	CONTROL
Turn online¹, ², ⁴, ⁵	Profile that is specified in Printer Inventory	CONTROL
View log	Profile that is specified in Printer Inventory	READ
View properties	Profile that is specified in Printer Inventory	READ
To display information from the printer and to display some printer actions (turn online, turn offline, and reset), the SNMP read community name for the printer must be public, or it must be specified in the AOP_READ_COMMUNITY environment variable. For information about how to set this environment variable, see Customizing the environment variables file for the IBM HTTP Server - Powered by Apache (bin/envvars). These PSF printer actions do not apply to AFP Download Plus senders: Interrupt, pause, repeat, reset, space, stop printer and delete the current print job, turn offline, and turn online. To redirect an IP PrintWay printer to an alternative printer, CONTROL access is required to the profiles for both printers. To do some printer actions (turn online, turn offline, and reset), the Infoprint Central user must enter the SNMP write community name for the printer unless the write community name is public or it is specified in the AOP_WRITE_COMMUNITY environment variable. For information about how to set this environment variable, see Customizing the environment variables file for the IBM HTTP Server - Powered by Apache (bin/envvars). The RACF® profile for the printer in the PRINTSRV class restricts access to the reset, turn offline, and turn online actions. For information, see Protecting printers with profiles in the PRINTSRV class.

Steps for defining profiles in the PRINTSRV class to protect printers

Define a resource profile to RACF in the PRINTSRV class.
You can define a profile for each printer, or you can define one profile for a group of printers or all printers.
Guidelines:
1. Select any name for the profile that RACF allows. However, do not start the name with AOP to avoid conflict with profile names that IBM® uses now or in the future. Profile names can be up to 64 characters.
2. Give the profile universal READ access if you want all Infoprint Central users to be able to view properties of the printer.
3. For information about specifying the NOTIFY and AUDIT parameters on the RDEFINE command, see Requesting RACF notification and auditing.
Example: To define a profile that is named PRINTERS.DENVER for printers in the Denver location, with universal READ access, enter this RACF command:
```
RDEFINE PRINTSRV (PRINTERS.DENVER) UACC(READ) 
```
Give users access to the resource profile.
For information about the access that is required to do printer actions in Infoprint Central, see Table 1. To let users do all printer actions, give CONTROL access.
Example: To give users CONTROL access to the profile, enter this RACF command:
```
PERMIT PRINTERS.DENVER CLASS(PRINTSRV) ACCESS(CONTROL) ID(userid or groupid)
```
Refresh the PRINTSRV class.
Example: SETROPTS RACLIST(PRINTSRV) REFRESH
IP PrintWay printers: Specify the name of the profile in the printer definition for the printer in the Printer Inventory.
Important: If more than one printer definition exists for a printer, specify the same profile in all printer definitions. Otherwise, Infoprint Central might not check the profile. To find all printer definitions for a printer, on the Select Printer Definitions ISPF panel, specify the host name or IP address of the printer in the IP address field.
Tips:
1. If the same profile applies to a group of printers, for example to all printers in a particular location, specify the same profile in the printer definitions for all the printers.
2. You can use the Infoprint Server ISPF panels or the Printer Inventory Definition Utility (PIDU) to edit the printer definition. If you want to specify the same operator security profile in many IP PrintWay printer definitions, it is easier to use PIDU as shown in the following example. For information about how to use the ISPF panels and PIDU, see z/OS Infoprint Server Operation and Administration.
3. To specify the same operator security profile in a group of IP PrintWay printer definitions, create a Protocol component with the name of the security profile and specify that Protocol component in all the printer definitions. Creating a component makes it easier to change the name of the profile if necessary.
4. If the profile you specify is not defined to RACF, Infoprint Central proceeds as if the user has the required access to the profile.
Examples:
1. This ISPF screen shows how to specify the name of the profile in a printer definition that uses the LPR protocol.
```
                                  LPR Protocol                                  
                                                                                
 Printer definition name . myprinter                                    
 Operator security profile                                                      
     . . . PRINTERS.DENVER                                                     
                                                                                
 Printer IP address . myprinter.xyzcorp.denver                         (extend) 
 Print queue name . . PASS                                             (extend) 
                                                                                
 
⋮
```
2. These PIDU commands show how to specify the name of the same RACF profile in all IP PrintWay printer definitions that do not already contain a profile name.
  1. Enter these commands as one command on the z/OS® UNIX command line:
```
pidu -qc "list printer where printer-type=ip-printway and 
operator-security-profile=null;" | awk'{print "modify printer " $1 
" operator-security-profile = \"PRINTERS.DENVER\";"}' > /tmp/defs
```
    The PIDU list command lists the names of all IP PrintWay printer definitions with no value in the operator-security-profile attribute. These names are piped to the awk program, which writes modify commands to modify the printer definitions to file /tmp/defs.
  2. Inspect the /tmp/defs file to make sure the modify commands are acceptable.
  3. Enter this command to update the Printer Inventory:
```
pidu /tmp/defs
```
PSF printers: Specify the name of the profile in the printer's FSA definition in the Printer Inventory.
Tips:
1. If the same profile applies to a group of printers, for example to all printers in a particular location, specify the same profile in the PSF FSA definitions for all the printers.
2. You can use the Infoprint Server ISPF panels or the Printer Inventory Definition Utility (PIDU) to edit the FSA definition. If you want to put the same operator security profile in all PSF FSA definitions, it is easier to use PIDU as shown in the example. For information about how to use the ISPF panels and PIDU, see z/OS Infoprint Server Operation and Administration.
3. If the profile you specify is not defined to RACF, Infoprint Central proceeds as if the user has the required access to the profile.
Examples:
1. This ISPF screen shows how to specify the name of the profile in the PSF FSA definition for the printer.
```
 Add                            PSF FSA, Channel                              
 Command ==>                                                                  
                                                                              
 FSA Name. . . PRT00123                                     
 Description . ______________________________________________________(extend) 
 Location. . . DENVER                                                (extend) 
 Operator security profile                                                    
     . . . PRINTERS.DENVER                                                    
                                                                    
 Processing Information:  

⋮
                                                      
```
2. These PIDU commands show how to specify the name of the same RACF profile in all PSF FSA definitions for TCP/IP-attached printers that do not already have a profile.
  1. Enter these commands as one command on the z/OS UNIX command line:
```
pidu -qc "list fsa where fsa-type=psf-tcpip and 
operator-security-profile=null;" |awk '{print "modify fsa " $1 
" operator-security-profile=\"PRINTERS.DENVER\";"}' > /tmp/defs
```
    The list command lists the names of all PSF FSA definitions for TCP/IP-attached printers with no value in the operator-security-profile attribute. These names are piped to the awk program, which writes modify commands to modify the operator-security-profile attribute.
  2. Inspect the /tmp/defs file to make sure the modify commands are acceptable.
  3. Enter this command to update the Printer Inventory:
```
pidu < /tmp/defs
```
PSF printers: Make sure that users are authorized to read the Printer Inventory. For information, see Authorizing users to read the Printer Inventory.