Restrict access to a Print Queue by group
Pharos Cloud supports assigning groups at the Print Queue level. This enhancement offers flexibility in giving access to specific print queues. For example, your IT administrator can configure Direct Print to grant exclusive access to the “Color print queue” for the Marketing group, while allowing all users to print to a “Black and White print queue”.
Notes:
- Print Queue level permission is not supported on Chrome extension and macOS Print Scout. Only device level permissions applies to Chrome extension.
- Permission at the queue level overrides permission set the device level
Note: To ensure backwards compatibility, upgrading to the latest version preserves all current printer level permissions and allow printer level permissions to continue to be created and managed.
Limitations
- macOS Scout with Active Directory authentication provider is not supported. User domain groups cannot be loaded into Pharos Cloud.
- If you want to restrict Print Queue by group, you will need to update to the latest (October 2023 or later) Print Scout on user workstations.
- Group information can be updated almost instantly by importing an updated user file for Email Auth and OpenID, but Active Directory will take at least a day for Active Directory group changes to be uploaded by the Print Scout.
Add Groups
There are three ways to add groups to Pharos Cloud:
- Import groups (for Email Auth and OpenID) using the existing user import in the Advanced > Settings tab in the web console.
- If using Active Directory, users must have printed at least one document for the Print Scout to send user groups.
- Automatic provisioning from identity providers using the System for Cross-domain Identity Management (SCIM) protocol.
Import Groups (for sites with Email Auth and OpenID authentication)
If your authentication provider is either Email Authentication or OpenID Connect, you will need to import groups into Pharos Cloud. Import comma-separated values (CSV file) containing users' email addresses and groups into Pharos Cloud.
Note: For OpenID, the email addresses in the CSV file must match the email addresses associated with the user accounts in the OpenID authentication provider.
To import groups for use with Direct Print:
1. Navigate to the Secure > Advanced tab (for sites with Secure Print license) or Direct > Settings screen for sites with Direct Print license only.
2. Download the CSV sample file. Email and UserGroups are mandatory fields.
3. Click the Import button and then select the CSV file to import.
4. Map data by dragging CSV column headers to the appropriate data column. The mapping view shows the CSV fields in the left column, called CSV columns. The fields in Pharos Cloud appear in the right column, called Data Columns.
5. Click the Preview tab to see up to the first 50 rows of CSV data and verify that the mappings are correct.
6. Click OK. A window displays the results of the import, the number of rows processed, and any errors during the import process.
Populating Groups for Active Directory Authentication
With Active Directory Authentication, you do not need to import groups into the Pharos Cloud system just as you do with Email Auth and OpenID auth. The Print Scout component automatically uploads user groups (both Global and Universal groups) into the web console. This applies for the following customer configurations:
- Secure Release license with Active Directory authentication
- Direct Print license with Active Directory authentication
Initially, uploading groups to Pharos Cloud is triggered by a user's first print job. The first time an employee prints a document from their workstation, the Print Scout sends the user's group information onto Pharos Cloud. After the first group upload, the Print Scout will sync user groups with the Active Directory daily and if a change is detected, it will re-upload the updated list to the Pharos Cloud (e.g., a new user group is added).
Note: If for some reason the user group upload does not occur during the user’s first print, the upload will occur in the next scheduled upload which typically happens the following day.
Restrict Access to a Print Queue by group
To restrict access to a direct printer by group:
1. In the Direct > Direct Printers > Print Queues tab.
2. Select a print queue that you want to add to a group. Select the print queue by checking the box next to the print queue record.
3. Expand Permission Groups in the Queue Properties section (found on the right hand side of the screen).
4. in the search bar, search for the group that you want to assign to the selected printer. Click the + button to add a group.