The following table shows the tasks for configuring printers in a Trusted Solaris environment and the recommended roles and the tools that perform each task. The table provides links to procedures and other related documentation.
Table 11-1 Tasks for Configuring Printers
Role Rights Profile |
Task |
Tool |
Notes |
---|---|---|---|
System Administrator Device Management |
Configures printers |
Printer Administrator action |
See "To Configure an Attached Printer","To Configure a Network Printer for Labeled Output", and "To Add Access to a Remote Printer". See also "Starting Solaris Print Manager" and "Setting Up Printers (Tasks)" in the Solaris 8 System Administration Guide, Volume 2 and following for how to do the configuration. Note - Where the instructions tell you to become superuser, do the steps at |
Security Administrator Printer Security |
Specifies a restricted label range for a printer (optional). The default is |
The Set Printer Label Range action or the add_allocatable(1M) command | See "To Configure a Restricted Label Range for a Printer". |
Printer clients can only submit print requests at labels that are allowed by the trusted network database entries for the printer client computer and printer server.
By default, users cannot print PostScript files. This restriction exists because a knowledgeable PostScript programmer could create a PostScript file that modifies the labels on the printer output.
If desired, the Security Administrator role can assign the Print PostScript authorization to trustworthy users and role accounts. The Security Administrator role should do so only if the account can be trusted not to spoof the labels on printer output and if permitting the printing of PostScript files is consistent with the site's security policy.
A filter provided with the Trusted Solaris printing system converts text files to PostScript. Files converted to PostScript by any installed filter programs can be trusted to have authentic labels and banner and trailer page text because the filter's programs are trusted programs that are run by the printer daemon.
A site's System Administrator role can install additional filters, which then can be trusted to have authentic labels and banner and trailer pages. See the "Managing Character Sets, Filters, Forms, and Fonts (Tasks)" in System Administration Guide, Volume 2 for how to add filters.
PostScript printers are the only types of printers that support labels and other handling information on printer output and on mandatory banner and trailer pages. The following types of printers function correctly, but they do not support page labels or labeled banner and trailer pages.
Non-PostScript printers
Printers connected to a print server that is not running the Trusted Solaris release
Network printers that have not been configured from a Trusted Solaris computer
Jobs sent to a network printer print without labels and trailer pages if the network is not being managed by a Trusted Solaris print server. The network printer would have been configured in one of the two following ways:
Using the printer's own software supplied by the printer vendor to be a standalone node on the network
Using LP printer administration commands on a print server that is not running the Trusted Solaris release
If desired, the Trusted Solaris computer can be set up to send jobs to a printer connected to or managed by a computer (print server) that is not running Trusted Solaris software. Print servers connected to unlabeled servers can print jobs only at the single label that is specified for the print server in the trusted network databases on the Trusted Solaris computer. Jobs print without labels or trailer pages and without security information on banner pages.
Printing from unlabeled computers to a printer on a Trusted Solaris print server is supported.
A user submitting a job from a single-label computer to a Trusted Solaris print server cannot cancel that job and cannot remove the job from the print queue. When a user sends a job from a labeled computer, the trusted network provides the UID of the user sending the print request. For unlabeled computers, the UID of the sender of the job is not available, so the UID assigned to the print job does not match that of the submitting user.
Network printers can print labels on body pages and banner and trailer pages if the printer is managed by a Trusted Solaris computer. See "To Configure a Network Printer for Labeled Output" for how to set this up.
A network printer can print jobs only at the single label specified in the template that is assigned to the network printer's IP address.