Access Control Rules

Contents

1. About Access & Control Rules
   1. What are Access Control Rules?
   2. Unlock a Function for Unrestricted Access
   3. Authorize a Function for a Specific Group of Users
   4. Combining Access Control Rules and Assigning them to Printers

2. How to…
   1. Create a New Access & Rules Profile
   2. Add a Rule to Unlock a Function
   3. Authorize a Function for Smartcard/Card or PIN Authentication
   4. Set Up ID Mask and Dual Factor Authorization for Card Authentication
   5. Enable Self-Enrollment for Card Authentication

About Access Control Rules

What are Access Control Rules?

Access Control Rules define who can access which functions of a multi-function printer. Access Control Rules:

1. Unlock functions for unrestricted use, so that they can be used without authentication.
2. Enable functions you are authorized to use, when you authenticate at the printer.

On a printer, the functions that are unlocked are available without you having to authenticate. Once you authenticate the functions you are authorized to use will also become available.

Unlock a Function for Unrestricted Access

In the example shown below, a company does not want to restrict black and white photocopying. The Access Control Rule unlocks the black and white photocopy function, making it unnecessary for anyone to authenticate at the printer for that function.

Any printer that this rule applies to does not restrict the black and white photocopy function. The other rules that apply to that printer (see the example below) cannot restrict the black and white copy function, because it is already unlocked.

Authorize a Function for a Specific Group of Users

In the example shown below, the Access Control Rule specifies the following:

1. Use Card to authenticate at the printer.
2. Validate credentials against the identity management system(s) specified by Authentication Source Profile (ASP Admin)
3. Upon successful authentication, Authorize Color Copying only for those who belong to Organizational Groups that have names beginning with the letters ACC.
   

The rule can be expanded to enable more complex scenarios such as:

1. Enabling Color Copy for those who belong to Organizational Groups that have names beginning with the letters ACC, and belong to the User Group SG, but not to the User Group NO_COLOR_PRINT.
   

Changing the rule condition from Match All to Match Any allows for one who belongs to any one of the specified groups to have authorization to use the Color Copy Feature.

2. Allow for Card Authentication as well as User Name / Password Identification Method, so that users who forget their card can still authenticate at the printer.
   

3. Enable more than one function within a single rule.
   

Combining Access Control Rules and Assigning them to Printers

You assign a rule to a printer by adding the rule to the Access & Rule Profile assigned to that printer. An Access & Rule Profile is a named collection of rules. When you authenticate at a printer, the availability of functions is determined by the combination of the Access Control Rules in the Access & Rule Profile assigned to that printer.

One Access & Rule Profile can be assigned to many printers. This eliminates the need to set rules for each printer individually. Furthermore, if you add, remove or change a rule, all printers controlled by that Access and Rule Profile are updated.

Similarly, one Access rule can be assigned to more than one Access & Rule Profile. Changing the rule will update all such Access & Rule Profiles, and hence, all printers that use those Access & Rule Profiles.

How to…

Create a New Access & Rule Profile

You create a new Access & Rules Profile while assigning it to a printer.

1. On the Celiveo Web Admin, at the main menu, click . The Printer List displays.
2. Select the Printer you want to add the new Access & Rules Profile to.
3. On the printer menu, click . Access and Rules is displayed.
   

4. To create an empty Access & Rules Profile, click .
   To create a new Access & Rules Profile by cloning an existing rule, select the existing rule from the drop-down and click . The Access & Rules Profile is displayed.
   

5. In the [Profile Name] box, specify a unique name for the Access & Rules Profile.
   The new Access & Rules Profile is created when you save it.

Add a Rule to Unlock a Function

1. In Access & Rule Profile, click adjacent to [Access Control Rules] drop-down. A new rule displays.
   

2. At [Rule Name] specify a name for the rule.
3. In the [Device Functions] section, click the different buttons to deactivate all features but Black and White Copy.
4. In the [Identification Method] section, select No identification.
   

5. Click [Save].

Authorize a Function for SmartCard/Card or PIN Authentication

Authorizing a function, is a 3 stage process.

• Stage 1 – Enable Smartcard, Proximity card or PIN Authentication
• Stage 2 – Specify the function to authorize
• Stage 3 – Specify who is authorized to use the function (If all users who successfully authenticate are allowed to use the function, this stage can be skipped)

Stage 1:

1. In Access & Rule Profile, click adjacent to [Access Control Rules] drop-down. A new rule displays within the Access & Rules Profile.
   

2. At [Rule Name] specify a name for the rule.
3. In the Access Control Rule Profile, In the [Identification Method] section, click . The Rule Definition is displayed.
4. In the [Criteria] drop-down, select [Card Number] for Card Authentication, [PIN Code] for PIN Authentication or [UPN in Smartcard Cert] for Smartcard Authentication.
   

5. In the Source drop-down, select the Authentication Source Profile to authenticate against.
   

Notes:

• For information on Authentication Profiles, see the article on Authentication Profiles.
• The system ensures that all Card Authentication Access Control Rules for a given printer are authenticated against the same Authentication Profile.
• For more information about Authentication Profile, refer to About Authentication Profiles.
• You can combine Card Authentication with the User Name/Password method in the same Access Control Rule.
• A Smartcard license feature connector is required to use [UPN In Smartcard Cert].
• [UPN In Smartcard Cert] rule can only be combined with [Username and Password].
• [UPN In Smartcard Certification] rule cannot be used with the [Celiveo Authentication Gateway] authentication method.

6. Click [Save]. You return to the Access Control Rule Profile.
   

Stage 2

1. In the [Device Functions] section, select the features you want to authorize. The features you select are displayed as blue buttons.

Notes:

• If you selected Scan to Email, click and specify who to send the scanned image to.
• If you selected Print, click and specify the pull print settings.

Tip: Use the Celiveo CSS option only if you are upgrading from SecureJet 7.0.5/6 or Celiveo 8.0.x.

Stage 3

To grant permission for a user group or organizational unit:

*Note: Access Control Rules cannot be applied to a user group that is a Primary AD group.

!IMPORTANT: Rules for a Celiveo Shared Virtual Printer must not have USER OU as a criteria.

1. Under [Rule Condition], click . The Rule Definition is displayed.
   

2. From the [Criteria] drop-down, select User Group or Organizational Unit.
3. In the [Operator] drop-down select the comparison criterion.
4. In the [Value] box, specify what to compare against .
5. Note: You can specify multiple rule conditions, and select [Match Any] to authorize the features if any one condition is met, or select [Match All], to authorize the features if every condition is met.
   

6. Click Save until all dialogs close.

Set Up ID Mask and Dual Factor Authorization for Card Authentication

1. In Access & Rule Profile, in Access Control Rules, select the rule that implements card authentication.
2. Click under [Access Control Rules]. The rule displays for editing.
   

3. In the [Identification Method] section, click in the row containing the Card Number condition. The Rule definition displays.
   

4. Click in the row containing the Source. The Authentication Source Profile displays.
   

To set up the ID Mask;

1. Click the [ID Mask] button to turn it on.
2. Click , which is placed next to [ID Mask]. The ID Mask displays.
   
   

3. Specify the ID Mask to use to extract the card number and click [Close]. See this article on how to configure ID mask.
4. From the [ID Processing] drop-down, specify how to process the extracted card number.

Information about ID Processing:

The ID Processing methods are used to match the number extracted from the card with the one that is written in the back of the card. These conversions are needed when the card ID in Celiveo has to match the numbers in the back of the card or if they need to correspond to an existing number in a database that would be imported to AD or Celiveo SQL DB.

To enable dual factor authentication;

1. Click the [Dual Factor] button to turn it on.
2. Click , which is placed next to the [Dual Factor] button.
   

3. Specify properties of the password to use and click [Close].
4. Click Save.

Enable Self Enrollment for Card Authentication

When self enrollment is enabled, you can log in at the printer using your Windows credentials. Thereafter you can save your card details to Celiveo, without the help of a Celiveo Administrator.

1. In Access & Rule Profile, in Access Control Rules, select the rule that implements card authentication.
2. Click under [Access Control Rules]. The rule displays for editing.
   

3. In the [Identification Method] section, click in the row containing the Card Number condition. The Rule definition displays.
   

4. Click in the row containing the Source. The Authentication Source Profile displays.
   

5. Verify that the Self Enrollment is turned on (The Self Enrollment button is highlighted in blue when Self Enrollment is on).
6. Click , which is placed next to the [Self Enrollment] button. The Self Enrollment settings display.
   

UNENROLL INACTIVE USERS
To help the IT administrator keep the database up to date, you can set a time frame to automatically remove an inactive user.
At [Auto unenroll inactive user after days], enter the number of days.
An enrolled user who has not used the Celiveo system after the specified number of days is automatically removed.

*Note: If enrollment into AD is selected, to avoid any error, make sure that the Last Activity Field Name of the Active Directory fields is documented and that the field has read/write rights for the indicated AD service account. This can be set up in the Advanced Section of the Authentication Profile settings. To learn more, see the information about the advanced settings of an authentication profile.

1. To save card info in the Celiveo database:
   1. Select [SQL].
   2. In the [Schedule SQL User Data Sync] section, specify when and how often user information should be synced with the Authentication Server.
2. To save card information on the Authentication Server, select [AD/LDAP].
   See the information about the advanced settings of an authentication profile to see where card information is saved.
3. Close all dialogs.

Copyright © 2024 Celiveo — Powered by