Print Management with Role-based Access Control

Posted by Josh Macdonald

The recent release of PrinterLogic Web Stack (formerly Printer Installer) brings the highly anticipated addition of role-based access control or “RBAC.” As a system administrator for an enterprise print management solution, you are tasked with balancing restrictions for what IT users can do within a system, without blocking them from getting their job done. This practice is known as the principle of least privilege. You can apply the principle of least privilege across your network using complicated group policies and active directory user, groups, containers and organizational units. Doing so ensures your end users are only able to access the information, tools and resources needed to complete their day to day tasks.

With a one year old boy at home, my wife and I have taken measures to protect him (and us). We have locked cabinets, keep doors shut and make sure the dog food dishes are out of reach. Recently, my wife heard the familiar sound of the dog door opening. With the dog on the floor next to her, she rushed into the kitchen and arrived just in time to catch our son sliding through his new found portal to freedom.

When the principle of least privilege isn’t being applied to a network of any size, you leave the “dog door” wide open for some serious headaches. At PrinterLogic, we understand the importance of the principle of least privilege, and that is why the recent release of PrinterLogic Web Stack includes RBAC.

In the past we have had three non-configurable roles: Administrator, Manager and Deployer. As we interacted with our customers, we discovered they were looking for six roles: Administrator, Site Manager, Deploy Manager, Help Desk, Print Job Manager and Administrative Auditor. But we also took it one step further and provided the ability to create custom roles to fit any position on your team.

When you create a new role, you can either build it from the ground up, or simply clone an existing role and change the permissions. Each part of the admin console is represented in the permission tree, so you can get very granular in setting the permissions of the user. Notice that you can hide menu items, folder objects, and printers from each user, limiting their scope. You can also give them view-only permissions. Now you have the option to limit your help desk workers in Australia to only see printers in the Sydney office and only deploy printer drivers, but not change the printer settings, for example.

As you get used to this granular approach, you will see that you can create roles based on every worker who needs access to print management in your organization, giving them the least privileges, but enough to get their job done.

Role Based Access Control

Are you concerned about what will happen with your existing roles you have in version 15.1 as you upgrade to 16.1? As you upgrade to 16.1 from 15.1 the administrator role remains the same. The manager role will change to a site manager role and the deployer role will change to the deploy manager. Nothing will change in regards to permissions with those roles except for the fact that in 15.1 if the role did not have certain permissions those functions were grayed out in the platform. Now we completely hide those features so anything a role does not have view or modify permissions to is now completely hidden from the user.

With PrinterLogic, you now have the power to implement RBAC on a very granular level. Adding this to the benefits of print server elimination, centralized management, a self-service installation portal, Pull and Mobile Printing and more…what more could you ask for? Seriously. If there’s more you are asking for. Leave a comment below.