Table of Contents
PaperCut NG is designed to keep user management simple and automated by synchronizing against an external user directory source such as Active Directory, Open Directory, eDirectory or LDAP. This simplifies administration of the system by avoiding the need to manage a separate database of users, passwords, user details and groups. Synchronizing against a user directory is the recommended way to manage user accounts, and ensures:
The tool is right for the job. User directories are specifically designed for managing users, and can provide a wide range of useful features. It also allows for "single sign-on", allowing users to log in with the same username and password across many different applications.
Scalability and centralization of user management. Many applications may access the same user directory, so the effort to set up users only needs to be performed once, rather than once for each application.
Application vendor neutrality. Switching to a different application is possible, because the users are not 'locked in' to any particular application.
The first option should always be to manage users in a user directory, but there are some situations where this is not possible or not ideal, for example:
When a guest visits the organization they may require access to network resources, but it requires too much effort to create them an account in the user directory. (They may receive a temporary / generic login instead.)
Some parts of the organization want to manage their own set of users that cannot or should not be created in the main user directory. For example a university may run a short course where the students only require limited or sporadic access to network resources. They will not have accounts in the user directory, but still require the ability to print.
The organization does not have enough users to warrant a user directory / domain (i.e. a workgroup or peer-to-peer environment is in place).
For these situations, PaperCut NG provides the internal users feature. The following section discusses how to get started with the internal users feature, and how to configure it to suit your environment. Internal users are best thought of as user accounts that only exist inside PaperCut NG and are independent of the domain, network or operating system.
The internal users feature allows management of users inside PaperCut NG, removing the need to create or manage them in an external user directory. There are several ways the feature can be utilized:
Selected staff can be given access to create internal user accounts. This gives staff control over who can receive a new account, preventing the creation of unwanted accounts (e.g. with offensive usernames).
Users can be given the ability to create their own internal accounts via a web based registration form. This can be useful for providing guests the ability to register their own accounts and begin printing immediately, removing the need for staff intervention.
Administrators can create a new batch of internal users via a text based file import. This can be used to import or update a set of users that are managed separately to the regular domain users. For more information about the internal users batch import and update feature, see the section called “Batch Internal User Import and Update”.
The following sections present several different environments and how the internal users feature can be used to accommodate them. For information about specific configuration, the section called “Internal Users Options” provides full details about each available option.
North Shore University has a campus that occasionally hosts students from other universities. These guest students do not have a login in the universities domain, and it is considered too much effort to go through "official channels" to create one for them.
The administrator would like to provide selected staff the ability to create PaperCut NG accounts for these guest students as needed. To go about this, the administrator performs the following:
The guest students are first provided with access to computers or network resources using the generic login
guest, passwordguest.The generic
guestlogin is marked as Unauthenticated using the PaperCut NG administration interface. This option is available on the user's details page.Navigates to → → .
Checks the Enable internal users option, and under Access control selects Only admins can create users.
The Confirmation message is tailored to provide relevant information such as how to log in.
Presses .
PaperCut NG administrator access is assigned to the staff who will be responsible for creating the new student guest accounts. The administrator right Create internal users is required for this purpose. For more information about assigning administrator rights see the section called “Assigning Administrator Level Access”.
Ensures that the PaperCut NG client software is running on workstations where guest printing will be allowed.
The system is now configured to allow selected staff the ability to create internal accounts for
the guest students. When a guest student prints from the generic guest login,
the PaperCut NG client tool will display the authentication popup. This will
allow them to enter their personal username and password, assigned by the administrator when
registering their internal user account.
Staff can create an internal user account for a guest student as follows:
Log into the PaperCut NG administration interface, and select the Create internal user... action from the Actions menu of the Users tab.
Complete the from and press .
West Face College is a large community college that regularly has members of the public visiting to use the library resources.
It is not feasible to create a domain login for every visitor, and manually creating an internal user account for each guest would require too much time of the administrators or staff, so the decision is made to automate the process and allow guests to register their own internal user accounts.
To set up the internal users feature and allow guest self-registration, the administrator performs the following:
The guests are first provided with access to computers or network resources using the generic login
guest, passwordguest.The generic
guestlogin is marked as Unauthenticated using the PaperCut NG administration interface. This option is available on the user's details page.Navigates to → → .
Checks the Enable internal users option, and under Access control selects Users can register their own account.
Checks Display registration links on login screens so that users will have easy access to the registration interface.
Changes the Link text to
Guests click here to register, to provide a better clue for guests.Adds more information about the organization's printing policy, how to access printing resources, etc. under Additional registration instructions. A note is also added to specify that only guests need to register to access printing resources - students or users with existing accounts do not need to register.
Presses .
Ensure that the PaperCut NG client software is running on workstations where guest printing will be allowed.
Creates an information sheet for guests, providing instructions about how to register, how to print, and where to find additional help. Most people will not need this kind of information to work out how to use the system for themselves, but some people appreciate step-by-step instructions.
The system is now configured to allow guests to register their own internal user accounts. When a
guest user prints from the generic guest login, the PaperCut NG client tool
will display the authentication popup. This will allow them to enter their
personal username and password, chosen when registering their internal user account.
For a guest to create an internal user account, they must:
Click the Register as a New User link on a login screen (the web interface login screen, or on the authentication popup), or access the registration web interface directly at
http://[server-name]:9191/register.Complete the from and press .
Southmark Inc. is a medium sized ten person real estate office service the local area. Their network consists of a mix of Windows XP and Windows Vista workstations connected to a workgroup based network. No user directory / domain exists, and setting one up is not a current priority. They would like to take control of their printing costs and volumes, and use PaperCut NG to identify the amount of printing performed by each staff member.
Because no user directory exists, PaperCut NG will be used to maintain user accounts, details and passwords for all staff. To set this up, the administrator performs the following:
Navigates to → → in the PaperCut NG administration interface.
Ensures that the Enable internal users option is enabled.
Removes (sets to blank) the value for Prefix usernames with:. There is no need for an internal username prefix, because all users will be internal!
Collects a chosen username and password from each staff member. This is used to construct a batch import file, using the format specified in the section called “Batch Internal User Import File Format”.
Imports the batch file into PaperCut NG using server-command to create a new internal user account for each staff member, following the directions in the section called “Batch Internal User Import and Update”.
Follows the directions in the section called “User Client Deployment” to deploy the client software to each workstation in the office.
When staff send print jobs from their workstations, they arrive at the print server under the generic
guestusername. The administrator marks this generic account as Unauthenticated using the PaperCut NG administration interface. This option is available on the user's details page.
The batch of internal user accounts has now been imported, ready for the staff to use them. When a staff member next sends a print job, the PaperCut NG client tool will display the authentication popup. This will allow them to enter their personal username and password, provided to them on arrival, having been assigned by the administrator in the batch import file.
The options for configuring internal users are located at → → in the administration interface.
The available options are:
Enable internal users - enables or disables the feature in general. If the feature is disabled, internal users will not be able to be created.
Access control - determines who may create internal users. The available options are:
Users can register their own account - A web based interface will be available for users to register their own account. This allows users to register their own accounts without intervention from staff or administrators.
Only admins can create users - Only administrators will be able to create users via the PaperCut NG administration interface. For information about delegating this access to additional users see the section called “Assigning Administrator Level Access”.
Display registration links on login screens - When enabled, PaperCut NG login screens will display a Register as a New User link. Clicking this link takes the user to the web based registration interface, allowing the user to create their own internal user account. If disabled, registration links will not appear, and users may only access the web based registration interface by navigating to the URL at
http://[server-name]/register.Link text - The text used for registration links on login screens. The default link text is
Register as a New User. An example of alternate link text might beGuests click here to register.Additional registration instructions - This option allows providing additional instructions to users when registering, and are displayed above the web based registration form. Specific instructions will vary from site to site, but could include information such as how to log in and print, how to add credit to their account, or where to find additional help.
User must enter an email address - Enable this option to require that the user enters an email address. If disabled, entering an email address is optional.
Allow user to choose their own identity number - If enabled, the user will be able to enter/choose their own identity number. The chosen identity number must be at least 6 digits, and must be unique. If disabled, a unique identity number will be automatically generated for the user. Identity numbers may be used for logging into some devices where only a numeric keypad is available.
Allow user to choose their own ID PIN - If enabled, the user will be able to enter/choose their own ID PIN. The chosen PIN must be at least 4 digits. If disabled, a random PIN will be automatically generated for the user.
Prefix usernames with: (optional) - This prefix will be applied to the username of all users registering via the web based interface. E.g. if a user chooses the name
john, and the username prefix isguest-, their allocated username will beguest-john. This prevents name clashes with existing or future users from the configured user/group sync source, and immediately identifies the user as being internal.Confirmation message - This message is displayed to the user after they have completed registration. It may also be emailed to the user (see next option).
Also email confirmation message to user - If this option is enabled the confirmation message will be emailed to the user after registration (if an email address was provided).
Tip
An alternative to the PaperCut NG client tool's authentication popup is to use a print release station in
Release Anymode. After ensuring that guest users have their own internal account, this will allow users to submit a print job under a guest/generic login, then authenticate at the release station and choose which job(s) they would like to release. For more information about setting up a release station see Chapter 10, Hold/Release Queues & Print Release Stations.To delete an internal user, navigate to their User Details page in the administration interface by clicking on the user in the User List, then select the Delete user item from the Actions list. The domain/network-level User and Group Synchronization settings and opperations do not affect and will not delete internal users.
The special
[Internal Users]group contains all internal users. It can be used to produce reports showing information about internal users, or to apply a bulk user operation on all internal users.
When using the Internal User functionality of PaperCut NG, there may be a need for the Internal User to change their password. This can be done by users and administrators.
Administrators can reset the password via the users details page in the PaperCut NG Application Server Administration Console. There is a "Change Password Link" located near the Internal User Settings heading.
The Internal User can reset their password via the User Web pages by clicking on Change Details.
Tip
Administrators can turn on or off the ability for Internal Users to change their password by using the Config Editor and modifying the key:
internal-users.user-can-change-password
This section covers the batch importing and updating of internal users. Internal users are managed internally by PaperCut NG, and may be used in addition to those in the configured user directory source. For more information about internal users see the section called “Internal Users (users managed by PaperCut NG)”. For information about importing and updating regular users see the section called “Batch User Data Import and Update”.
The batch internal user import and update feature allows the administrator to import users, user information and optionally update existing internal user details by reading data from a simple text file. In addition to being able to create internal users, it enables administrators to update the following user data:
Password
Credit balance
Restriction status
Full name
Email address
Department
Office
Card/ID Number
Card/ID PIN
Notes
Important
An internal user can be deleted by selecting the Delete user action while viewing the user. Features to simplify the deletion of multiple users (a 'batch delete') will be introduced in a future version.
Examples of where the batch user import feature is useful include:
Several guests to the organization will be arriving at the same time and will require their own accounts in PaperCut NG.
A set of users needs to be managed separately / externally to the existing user directory source. For example, the users of a certain computer lab require their own accounts in PaperCut NG, but it is not possible to create accounts for them in the existing user directory.
Details for existing internal users needs to be updated.
To perform a batch internal user import:
Manually inspect your file in a text editor and ensure it's in the prescribed tab-delimited format as detailed at the section called “Batch Internal User Import File Format”.
Follow the directions in the section called “Server Commands (server-command)” to run the server-command
batch-import-internal-users.For example, to import/update internal users from a file
import.tsvon a Windows system:C:\> cd "C:\Program Files\PaperCut NG\server\bin\win" server-command batch-import-internal-users "C:\extra users\import.tsv"Note that the import path should be quoted if it contains spaces.
The import process will start running in the background. See the App. Log tab in the administration interface to check the status of the import or if any errors were encountered.
Caution
Batch imports are a major operation, modifying data en masse. Best practice suggests:
Always run a backup before proceeding with the import.
First experiment/test the import process with a small batch of users before moving onto the full batch.
The import file is in tab delimited format and contains the following fields in the given order:
| No. | Field | Description | Optional? | Limitations |
|---|---|---|---|---|
1. | Username |
The internal user's username. If the policy is to use a username prefix for
internal users, include the prefix here (e.g. | Mandatory | Max. 50 characters |
2. | Password | The user's password |
Optional - although internal users cannot log in without a password | |
3. | Credit Balance | The user's credit balance | Optional - balance not set if blank |
A number with no currency symbol or separators, using a full stop for the decimal separator. Correct:
Incorrect: |
4. | Restricted Status | The user's restricted status. (Y/N) | Optional - restricted status not set if blank | |
5. | Full Name | The user's full name | Optional - full name not set if blank | Max. 255 characters |
6. | The user's email address | Optional - email not set if blank | Max. 255 characters | |
7. | Department | The user's department or faculty | Optional - department not set if blank | Max. 200 characters |
8. | Office | The user's office or location | Optional - office not set if blank | Max. 200 characters |
9. | Card/ID Number | The user's identity/card number | Optional - card/id number not set if blank | Max. 200 characters, case insensitive |
10. | Card/ID PIN | The user's card PIN number | Optional - card/id PIN not set if blank. If the field is '-' then the PIN is set to zero. | Max. 20 digits |
11. | Notes | Notes about the user. | Optional - notes not set if blank | Max. 2000 characters |
Table 28.1. Internal User Import File Format
Other limitations: Although any actual limit to the size of an import file should be large enough for any purpose, we recommend keeping the file size below 10MB.
Tip
If an optional field is not specified in the import file then it will not be updated. To remove or "blank out" an existing value, use a single "-" (hyphen / dash).
A simple way to create a tab delimited file is to create a spreadsheet in Microsoft Excel, then save it in the
Text (Tab delimited)format.
For some examples of using tab-delimited files, see the section called “Import File Format Examples”.