Assigning Administrator Level Access

PaperCut NG sets up one administrator account called “admin”. This is the master administrator account, with access to all features, whose password is assigned during the configuration wizard. In large organizations it is likely that administrator level access will need to be granted to more than one person. One solution is to give all persons the master password; however the recommended approach is to assign administrator rights to these individual's network user accounts. The advantages of this approach are:

Administrator access may be assigned at the group or user level. Assigning admin access to a group is convenient for giving the same permissions to multiple users. Assigning admin access to a user is useful when specific permissions are required. See the following sections for more detail.

Tip

Administrative users should login via http://servername:9191/admin rather than http://servername:9191/, http://servername:9191/app or http://servername:9191/user so that they are directed to the correct interface.

Important

PaperCut NG allows different levels of administrator access to be defined via access control list. The access list is presented as a series of checkboxes enabling or disabling access to selected features or application areas.

For security reasons it is advisable to:

  • Grant the user's own accounts administrator level rights rather than have them use the general built-in admin account.

  • Grant the administrator the minimum level rights need for them to perform their job.

  • ACL configuration can be complex. Always test that the ACL rights assigned work as expected by asking the administrator to log in and verify that they can access the required program functions.

Assigning Administrator Access to a Group

Assigning administrator access to a group is useful when many users all require access to the same functionality. For example, the Management group might be assigned access to reporting functionality only.

Groups in PaperCut NG are mirrored from the domain / directory server. Before a group can be used, it must be added to PaperCut NG (see the section called “Groups in PaperCut NG” for more information). By default PaperCut NG synchronizes users' group membership with the domain / directory server overnight. If a user has been added to a group in the domain / directory and requires group level admin access on the same day, a manual synchronization should be run. See the section called “User and Group Synchronization” for more information.

Example: assigning the Management group access to reporting features:

  1. Log in to the system as the built in admin user.

  2. Ensure that the Management group has been imported into PaperCut NG (see the section called “Groups in PaperCut NG” for more information).

  3. Navigate to the OptionsAdmin Rights page.

  4. In the field titled Assign administrator access to this group:, select the Management group from the list, and click Add Group.

    The list of users and groups granted admin access

    Figure 12.5. The list of users and groups granted admin access

  5. By default Management will have access to all features. To change this, click on the edit link to the right of Management's entry or the name of the group itself.

  6. Deselect all access rights for Management except Access reports section. When finished, click Apply to save the changes.

  7. Test by logging into the administrator interface as a user in the Management group, and checking that access is allowed just to the Reports section.

Tip

The scheduled reports feature can automatically deliver selected reports via email to interested parties. See the section called “Scheduling and Emailing Reports” for more information.

The list of users and groups granted admin access

Figure 12.6. The list of users and groups granted admin access

Assigning Administrator Access to a User

Assigning access to an individual user is suitable when the access rights are specific to that user. For example, the junior system administrator mary might be assigned access to all functionality except the ability to grant administrator rights to other users.

Assigning the user with login name mary all admin rights except the ability to grant admin rights to other users:

  1. Log in to the system as the built in admin user.

  2. Navigate to the OptionsAdmin Rights page.

  3. Enter mary into the field titled Assign administrator access to this user: and click Add User.

  4. By default mary will have access to all features. To change this, click on the edit link to the right of mary's entry or the name of the user itself.

  5. Deselect the access right Access admin rights settings for mary.

  6. Click on the Apply button to save the change.

  7. Verify that Mary can now log into the administrator interface, but is unable to access the Admin Rights section.

The list of users and groups granted admin access

Figure 12.7. The list of users and groups granted admin access