8 Replies Latest reply on Jul 6, 2016 10:01 AM by Jeff Herald

    Multiple Group membership - Possible?  No?

    Paul LaFollette Guide

      From what I can see, in Pharos Uniprint each user is a member of one (and only one) User Group at any time.  I have questions:

      1. Why?  Why must each user be a member of only one User Group?
      2. Might it be possible (probably in a future Uniprint version?) for users to be members of more than one User Group?
      3. What problems would arise if users could be members of more than one User Group?
      4. Are there limits to the number of User Groups that can be defined in Uniprint?

       

      It seems to me, if users could be members of more than one User Group, the User Group membership could be easily (very easily) mirrored with Active Directory membership, thus allowing much greater flexibility with print options and controls. 

       

      We use Secured Release for all our Release Station controlled printers, however we use a lot of Direct Printing (with no release stations) which to the end users feels like traditional printing (hit Print at the computer, print job comes out on the printer, release/billing/etc is all automatic) and this is where User Group membership becomes important however because Uniprint users can only be members of one Uniprint User Group at a time, it is a huge problem to setup and maintain if any print controls based on Uniprint User Group membership is applied. 

       

      If Uniprint Users were allowed to be members of multiple Uniprint User Groups ... with the methods we use at our campus, we could easily control "who prints where" based on the Active Directory membership by having the user's Active Directory membership be echoed in their Uniprint User Group membership.   This would allow for better securing of systems and better ensuring only authorized printing.   One of the challenges I face currently is providing printing for departments but with little to no methods to ensure unauthorized printing does not occur.  We have many locations where multiple departments (or "organizations") are allowed to use the same computers (at different times from each other, of course) however the printers (and the use of the printers) are supposed to be limited to the "primary" department or organization or at a different cost rate than the "primary" organization.  Right now, it's difficult to manage controls of that because the Uniprint Groups cannot mirror active directory membership.

       

      Yes, the printers can be "secured" using ACLs and/or Firewall settings, but those settings are not user based.  If Uniprint's User Groups could mirror Active Directory membership, then it would be simple to have user based controls of "who prints where".

       

      I ask Pharos:  Can we have multiple User Group membership for the Uniprint users?   (if so, how soon?)

       

      Thanks,

      - Paul L.

        • Re: Multiple Group membership - Possible?  No?
          Scott Olswold Guide

          Paul,

          Historically, Groups in Uniprint have been used for:

          • Discount schedules
          • Color printing ability, and (if desired) specific applications to allow
          • Cost centers / Grants (if using Third Party Billing)
          • SignUp environment / access

          In that model, you run the risk of -- just like in Active Directory -- putting a user in groups that have conflict in the system. If the concept of group assignment were expanded per your suggestion, do we take the Active Directory position that, in conflict, the least permissive attribute wins? In other words if I am simultaneously in the "GroupA" and "GroupB" groups, and GroupB can print in color from PowerPoint but GroupA can't print color at all, then I can't print in color. Period. Additionally, what if I'm using Cost Centers and GroupA can access CC-001 and CC-003, and GroupB can access CC-002 and CC-003, do I get all 3, or just the common one (CC-003)?

          -Scott

          • Re: Multiple Group membership - Possible?  No?
            Yadin Flammer Navigator

            I've been pestering them about this for a good 8 years.  Creating a group for a single person on a regular basis is extremely clunky, but it's the only way to deal with a single person who is cross group since we can't add them to both groups for printer access.  The idea I discussed with them 2 years ago at the conference was two different kinds of groups so that the primary group functions Scott mentioend wouldn't be interrupted without a total re-write.  The secondary groups would be used only for printer access rights as that's the crippling limitation.  Seems that hasn't gotten much traction unfortunately.

              • Re: Multiple Group membership - Possible?  No?
                Paul LaFollette Guide

                And that is the reason I desire it the most.... For printer access rights.  Costing is pretty much already in place and controllable elsewhere (easily).  Using groups to manage/control printer access seems a natural fit (to me).

                 

                Active Directory membership is almost entirely for one reasom: User access control for computers.

                 

                Why not use the same methodology for user access control for printers?

                 

                Pharos:  We want/need better method to control acces for printers.  If we can match the Active Directory membership (which we already use) in Pharos somehow, I would hop in feet first!

                 

                - Paul L.

                • Re: Multiple Group membership - Possible?  No?
                  Scott Olswold Guide

                  Yadin,

                  If I nail your ask down to The Big Question:

                  • What am I trying to solve?

                  The answer is something like "I'm trying to solve the problem of users printing to queues | releasing jobs (pick one or both) that they shouldn't be using."

                  Is that correct?

                  Once the question is asked, we talk about acceptance/design criteria:

                  1. Are permissions granular (at the queue and/or device layer), or more encompassing, like at the Print Group layer?
                  2. Will this be wholly managed within the Uniprint infrastructure, or do we also allow the share permissions of a Windows print queue to play along (potentially even overriding anything in Uniprint); some Uniprint sites rely on Windows permissions to queue objects to restrict access, and we wouldn't want to get in the way of that.
                  3. How to incorporate workflows where only the card identifier is used for authentication (users don't exist in Uniprint; the card Gateway acts as both identifier and biller)?
                  4. What about the edge case where a user belongs to two groups with conflicts?

                  -Scott

                    • Re: Multiple Group membership - Possible?  No?
                      Yadin Flammer Navigator

                      In our case the problem we're trying to solve is very simple.

                      Uniprint controls all printing, so all permissions are controlled in Uniprint by what group has access rights on the device.

                      I have 20 people in Art History, and 30 in Visual Arts.  One person is in both areas.  Printing to printers in each area is limited to the group for that area.

                      So, to give that one person access to printers in both areas they operate, I have 3 choices:

                      1. Don't actually restrict printer access, allow anyone to print anywhere.

                      2. Allow one whole group access to the printers in the other area.

                      3. Make a 3rd group that contains one person that has access on the printers in both areas.

                       

                      So really, I have one option if I'm doing it right, which is option 3, which is clunky once you start getting several of these cases in a college.  The proper solution is to put the one user in both groups.  Uniprint is the only product I can think of that has a 1:1 relation of user:group, everything else we work with is 1:many as is the normal concept of users and groups.  I've brought this up a lot over the years and have never heard of good alternative as a solution.  From what I have heard from other customers, this is the standard frustration.  There may be other edge cases, and I understand there may be other operational concerns in implementing this, but at the core it's this simple of a problem that many of us would like to solve.

                      • Re: Multiple Group membership - Possible?  No?
                        Steven English Guide

                        Scott Olswold,

                         

                        I think this will be one of those cases where most would agree that there is not an elegant solution that would address everyone.  Similarly to the way that MobilePrint is designed to hit the bulk of users with a high degree of document fidelity, there are a number of formats which have been left of the list for specific reasons (e.g. printing a simple web page/email).  What I have gleaned from conversations with customers and from the comments in this thread, is that many customers would be happy to have a limited solution that is not trying to be a multi-user group solution for everyone.

                         

                        • Are permissions granular (at the queue and/or device layer), or more encompassing, like at the Print Group layer?
                          • Ideally both, but if one had to be selected let it be at the Print Group level (another queue can always be created as a different entry point to the device without needing additional licensing)
                        • Will this be wholly managed within the Uniprint infrastructure, or do we also allow the share permissions of a Windows print queue to play along (potentially even overriding anything in Uniprint); some Uniprint sites rely on Windows permissions to queue objects to restrict access, and we wouldn't want to get in the way of that.
                          • The permissions would be optional, so customers who do not need them could simply stick with their Windows, and customers who want them can implement them to whatever level of functionality is available
                        • How to incorporate workflows where only the card identifier is used for authentication (users don't exist in Uniprint; the card Gateway acts as both identifier and biller)?
                          • Any customer wanting to take advantage of user group permissions would need to have users in the database (sorry, Charlie!), or consider allowing for the definition of dynamic user groups based regular expressions in order to handle some basic separations of staff/student/guest.  Of course, any implementation of dynamic groups would need to be programmatical and may still eliminate the customer from being able to take advantage.
                        • What about the edge case where a user belongs to two groups with conflicts?
                          • Gateway logic could be implemented that allows for determining which fork to take when faced with a conflict.  Implementing some options as are seen with ACLs should make enough people happy.

                         

                        On the whole, I think the request is for something as that is better than nothing.  Custom scripting of course can be used, but that is certainly not a friendly option for most, and management would be a bit messy although a custom database table could be created that holds membership for all users as dumped from AD, then a script could check that membership against another custom table that identifies permissions.  It is doable on both a large scale, and could be dialed back and simplified for something more basic, but neither is simple.  I will conclude by saying that I am unaware of anyone deciding against Pharos because this feature was missing, but for those who really want it, inclusion would obviously make them really happy.

                         

                        Regards,

                        Steven

                        1 of 1 people found this helpful
                          • Re: Multiple Group membership - Possible?  No?
                            Scott Olswold Guide

                            Paul, Yadin, and Steven,

                            I agree that permissions to client-side objects should be a function of Uniprint; not everyone is able to use the convenient method that Microsoft provides. I also agree that a 1:Many relationship is just good, common sense. I've been playing Devil's Advocate here, in the hope that multiple viewpoints would come into play and help land on a commonality of features/tradeoffs that @Jeff Herald can use to create a User Story.

                             

                            Scott

                      • Re: Multiple Group membership - Possible?  No?
                        Jeff Herald Guide

                        Hi Everyone,

                         

                        This is a good topic.  I understand, this has been a feature request for quite some time.  For a select group, it's obviously a desirable change while for others, it's not even a concern.  We've considered this in the past, and it is still on the list.  It's not a simple change though.  Groups membership touches many parts of the product.  We are currently considering this change in conjunction with some improvements in AD/LDAP integration.  Doing that will necessitate multiple groups per user.  I do not have any more details to share on this yet, and I do not have a timeline.  Just know that it's in the table for planning and discussion.  Thanks.

                         

                        -Jeff Herald - Pharos Systems.