PRISMAsync Administration guide - Canon Global...About this guide The PRISMAsync user authentication...

Administration guide

PRISMAsync Print ServerUser authorization and authentication

Copyright and TrademarksCopyright

Copyright 2017-2018 Océ.

Illustrations and specifications do not necessarily apply to products and services offered in eachlocal market. No part of this publication may be reproduced, copied, adapted or transmitted,transcribed, stored in a retrieval system, or translated into any language or computer language inany form or by any means, electronic, mechanical, optical, chemical, manual, or otherwise,without the prior written permission of Océ.

OCÉ MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THE CONTENTS OF THISPUBLICATION, EITHER EXPRESS OR IMPLIED, EXCEPT AS PROVIDED HEREIN, INCLUDINGWITHOUT LIMITATION, THEREOF, WARRANTIES AS TO MARKETABILITY, MERCHANTABILITY,FITNESS FOR A PARTICULAR PURPOSE OF USE OR NON-INFRINGEMENT. OCÉ SHALL NOT BELIABLE FOR ANY DIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY NATURE, ORLOSSES OR EXPENSES RESULTING FROM THE USE OF THE CONTENTS OF THIS PUBLICATION.

Océ reserves the right to revise this publication and to make changes from time to time in thecontent hereof without obligation to notify any person of such revision or changes.

Language

Translation of the original instructions that are in British English.

Trademarks

Océ, Océ PRISMA, and Océ VarioPrint are registered trademarks of Océ-Technologies B.V. Océ isa Canon company.

All other trademarks are the property of their respective owners.

Edition 2018-04 US

Contents

Chapter 1Introduction.........................................................................................................................5

Notes for the reader......................................................................................................................................... 6Introduction to PRISMAsync user authorization and user authentication...................................................7About this guide............................................................................................................................................... 8

Chapter 2Configure user authorization.............................................................................................9

Learn about PRISMAsync user access rights...............................................................................................10Learn about user groups................................................................................................................................13User access rights of factory defined user groups...................................................................................... 15Create, edit, and delete local user groups....................................................................................................16Define access to job functions.......................................................................................................................18Define the authorization of a hotfolder.........................................................................................................20

Chapter 3Configure user authentication.........................................................................................21

Learn about user accounts............................................................................................................................ 22Learn about domains..................................................................................................................................... 23Add, edit, and delete domains...................................................................................................................... 25Add domain user groups............................................................................................................................... 29Add, edit, and delete local user accounts.....................................................................................................31Assign a local user account to a local user group....................................................................................... 33Enable or disable a local user account......................................................................................................... 34

Chapter 4Configure user permissions.............................................................................................35

Define access to control panel...................................................................................................................... 36Define access to Settings Editor and use of USB........................................................................................ 37Determine how personal jobs are defined................................................................................................... 39Define use of passwords................................................................................................................................40Define session timers.....................................................................................................................................42Define access to a hotfolder.......................................................................................................................... 43Define access to media settings from control panel................................................................................... 44

Chapter 5Configure smart card usage.............................................................................................45

Learn about PKI smart card login..................................................................................................................46Learn about smart card authentication........................................................................................................ 48Configure the use of smart cards..................................................................................................................51Create user group for smart card users without domain............................................................................52Test the smart card configuration.................................................................................................................53Import a certificate......................................................................................................................................... 56

Chapter 6Log in, log out, and change passwords..........................................................................57

Log in to the printer........................................................................................................................................58

Contents

3

Log out or switch roles.................................................................................................................................. 61Change password...........................................................................................................................................62Recover password.......................................................................................................................................... 63Reset the factory defined system administrator account........................................................................... 65

Contents

4

Chapter 1 Introduction

Notes for the reader

Typography

This manual uses the following typography to indicate elements that are part of the userinterface.

Typography Indicates

[Text between square brackets] Name of a button, tile, setting, value, or otheroption of the user interface

• Name of a key on a keyboard• Name of a variable: item that varies accord-

ing to the context

Text displayed in courier font • File path• Command Prompt comment

[Text] →[displayed in] →[menucascade] Names of options to be used in a fixed order

Symbols

This manual uses the following symbols to indicate requirements, restrictions and clarifications.

Symbol Type of symbol Indicates

IMPORTANT Indicates an operational requirement or restriction. Readthese items carefully in order to prevent damage to equip-ment, software, data, media, or property.

NOTE Indicates a clarification of an operation or contains additionalexplanations for a procedure. Reading these notes is highlyrecommended.

Notes for the reader

6 Chapter 1 - Introduction

Introduction to PRISMAsync user authorization anduser authentication

There are several starting points to use the PRISMAsync printer. Operators access the printer viathe control panel or remotely via PRISMAsync Remote Manager.

Print production

Job planning

PRISMAsyncRemote Manager

Job preparation

Hotfolder

PRISMAsyncRemote Control

Waiting

jobs

Scheduled

jobs

Waiting

jobs

Scheduled

jobs

Waiting

jobs

Scheduled

jobs

Waiting

jobs

Scheduled

jobs

PDFPDF

PDF

AdobePRISMAprepare

+PDF

PRISMAsync driver

Users who are responsible for the system configuration, security, user authentication andauthorization, and the network connectivity use the Settings Editor.

PRISMAsync user authorization and user authentication prevent that not-authorized persons canview job information and can have access to the stored user and printer information.PRISMAsync user authorization is the process of providing users access to printer functionsbased on their identity and tasks. PRISMAsync user authentication is the process of theidentification of a user, based on a username and password.

In secured systems like the PRISMAsync printer, authentication is distinct from authorization.Authentication verifies the identity of a user, but says nothing about the authorization: the accessrights of the user.

Factory defined configuration

After installation the printer has a factory defined setup of authorization and authenticationsettings. This means that there are factory defined user groups and factory defined user accountsthat users can immediately use. The factory defined user groups reflect default roles thatcorrespond with the main tasks on the printer: operate the printer, maintain the printer, configurethe printer, connect and secure the printer. To configure, connect and secure the printer, usersmust always authenticate themselves.

Introduction to PRISMAsync user authorization and user authentication

Chapter 1 - Introduction 7

About this guide

The PRISMAsync user authentication and user authorization procedures ensure that you cansecure the printer optimally according to the security guidelines of your company. ThisAdministration guide has been developed to explain the concepts and to describe theprocedures. It also describes the login procedures and some other related tasks and functions.

The Administrator guide's aim group is responsible for the configuration of the userauthentication, user authorization and related access options. The aim group needs to havecorrect rights ([Full access IT settings]) to change the related settings.

The Administration guide applies to all printers that are steered by a PRISMAsync controller. Incase printer types differ, notes are included to explain the difference.

Supported products

The descriptions and instructions in the Administration guide are applicable to the followingPRISMAsync printers and printer releases.

imagePRESS C800 Release 6.1



VarioPrint i-series Release 2.2

varioPRINT DP Line Release 6.1

About this guide

8 Chapter 1 - Introduction

Chapter 2 Configure user authorization

Learn about PRISMAsync user access rights

User access rights

You can define generic access rights that are applicable to all users of all user groups.

This topic describes the access rights that can be defined per group of users. PRISMAsyncassigns user rights to user groups. Every user group has certain user rights. You give users theiraccess rights by making them member of one or more user groups. (Learn about user groups onpage 13)

Hotfolder access rights

Hotfolders can only be used by users that are authorized for hotfolder access. Moreover, perhotfolder you can assign a user group. This user group defines the users that are allowed to usethe hotfolder. (Define the authorization of a hotfolder on page 20)

Example

This example illustrates how user access rights can be distributed across user groups. The circlesrepresent three user groups; the symbols represent user access rights. The table below describesthese user access rights.

User access rights Name User group

[Access maintenance tasks] Orange user group4


10 Chapter 2 - Configure user authorization

User access rights Name User group

[Access control panel] Orange, green, and blue usergroups

[Access configuration settings] Orange and green user groups

Example

The new local user group Export is created for users that need rights to access the control paneland the Settings Editor. The users are able to configure system settings.

The ten PRISMAsync user access rights

There are ten factory defined user access rights that together cover the complete functionality ofthe printer. You are not able to change these user access rights or to create new user accessrights.

Below you find a description of the user access rights.

User access rights Description

[Access only personaljobs]

When the user has also the rights to access the control panel, all jobs inthe queues are visible. However, the user can only print or change jobsthat he or she owns.The job ticket of the job contains information about the job owner.When the username during login corresponds the job owner name, thejob is called a personal job.The job owner name in the ticket can be the unique, fully qualifiedname, for example [email protected] or can be a non-qualifiedname, for example user1. (Determine how personal jobs are defined onpage 39) 4


Chapter 2 - Configure user authorization 11

User access rights Description

[Access all jobs] When the user has also the rights to access the control panel, the usercan change and print all jobs in the queues.

[Access control panel] The user can access the control panel.

[Access Settings Edi-tor and Remote Man-ager]

The user can access Remote Manager and the Settings Editor. RemoteManager can be accessed via the Settings Editor.

[Access maintenancetasks]

The user can perform maintenance procedures that are protected witha login panel.

[Access configurationsettings]

The user can change workflow and job defaults, and can access log-ging files.

[Limited access IT set-tings]

The user can perform the following IT tasks:• Software installation and upgrade.• Upload and install license files and customer solutions.• Media management settings• Back up and restore the system configuration.

[Full access IT set-tings]

The user can perform the following IT tasks:• All tasks described for [Limited access IT settings].• All other tasks that cover available IT, security, and connectivity set-

tings.

[Restore factory de-fault administrator]

The user can restore the factory default administrator user account anddefault [System administrators] user group.

[Access tools of Serv-ice]

The user can access Service tools. This user right can only be assignedto the default defined Service user group.



Learn about user groupsA user group consists of one or more users (members) who have the same access rights. (Learnabout PRISMAsync user access rights on page 10) Only users that are part of a user group areauthorized to access the printer. Users are part of one or more groups. (Learn about useraccounts on page 22)

Example

This example illustrates how users can be distributed across user groups. The circles representthree user groups; the symbols represent user accounts. The table below describes these useraccounts.

Users Name Description

Operators All operators belong to theblue group.

Key operators All key operators belong to thegreen group.

Maintenance operators All maintenance operators be-long to the orange group.One maintenance operator al-so belongs to the green group.

Types of user groups

PRISMAsync has three types of user groups: factory defined user groups, local user groups, anddomain user groups.

You can maintain a maximum of 100 user groups.

Learn about user groups


Types of user groups Description Members

factory defined usergroups

[Operators], [Central operators],[Key operators], [Maintenance oper-ators], [System administrators],[Service operators], [Manufacturingoperators]. ( User access rights offactory defined user groups onpage 15)

Factory defined user groupshave one factory defined useraccount by default.You can add existing or newuser accounts to a factory de-fined user group, except fromthe group of Service opera-tors.You cannot delete the factorydefault group of system ad-ministrators or service opera-tors.

Local user groups User groups that you created. You can assign local user ac-counts and factory defineduser accounts to a local usergroup.

Domain user groups User groups that you added andthat belong to a domain. (Learnabout domains on page 23)

The user accounts of a domainuser group are defined on anLDAP directory server.

Example

In the example below you see the factory defined user groups, one local user group (Export), andone domain user group (Office users).

Learn about user groups


User access rights of factory defined user groupsThe factory defined user groups have a default set of user access rights. It depends on the defaultdefined user group which user rights can be removed. It also depends on the default defined usergroup if other user rights can be added.

The two tables below give an overview of the default user rights of the factory defined usergroups.

= factory defined user rights

* = User right can be added or removed

User group [Access on‐ly personal

jobs]

[Access alljobs]

[Accesscontrol pan‐

el]

[AccessSettings

Editor andRemote

Manager]

[Accessmainte‐nancetasks]

[Operators]

*

*

*

* *

[Central operators]

* * * *

*

[Key operators]

* *

*

[Maintenance operators]

*

*

*

[System administrators]

*

[Service operators] *

User group [Accessconfigura‐tion set‐

tings]

[Limited ac‐cess IT set‐

tings]

[Full accessIT settings]

[Restorefactory de‐

fault admin‐istrator]

[Accesstools ofService]

[Operators] * * * *

[Central operators] * * * *

[Key operators]

*

* * *

[Maintenance operators]VarioPrint i-Series *

* * *

[Maintenance operators]other printers

* * * *

[System administrators]

* *

[Service operators]

* *

*

*

User access rights of factory defined user groups


Create, edit, and delete local user groups

Go to the user groups

1.

Go to: [Configuration]→[Groups].

Create a local user group

Local user groups can have all available user access rights except from the access to Servicetools.1. Click [Add].

2. Define the user access rights. (Learn about PRISMAsync user access rights on page 10)

3. Click [OK].

Edit a local user group

1. Select the user group.2. Click [Edit].

3. Define the user rights.4. Click [OK].

Delete local user groups

1. Select one or more user groups.2. Click [Delete].



3. Click [OK].

Define access to job functions

See Define access to job functions on page 18



Define access to job functionsBy default all functions of the control panel and Remote Manager are enabled. However, you candecide to disable specific functions for specific user groups. When you disable a function, thefunction remains visible but cannot be changed.

The changes you make are applicable to the functions of the control panel and the functions ofRemote Manager.

The list of available functions differ per printer type.

Example

[2] Access to functions: multi-functional printer

[3] Access to functions: print-only printer

Go to the settings

1. Go to: [Configuration]→[Groups].

2. Select a user group.3. Click [Control panel settings].

4. Click [General job management] and ensure that [Edit jobs] is enabled before you changeother job properties.



5. Enable or disable the required functions. (Overview of functions on page 19)

NOTEThe changes become effective after a member of the group has logged in.

Overview of functions

Group of functions Functions

[Edit original settings] [Note for operator]

[Edit output settings] [1- or 2-sided], [Binding edge], [Media], [Cover], [Layout], [Zoom],[Align], [Shift], [Print delivery], [Margin erase], [Adjust image], [Ex-posure], [Print quality and page numbering], [Binding], [Trimming],[Punching]

[Edit general job settings] [Number of sets], [Job name], [Destination], [Print range], [Separa-tor sheets], [Accounting ID]

[Edit original copy andprint settings]

[Job type], [1- or 2-sided original], [Original type], [Original bindingedge], [Original size], [Original background]

[General job manage-ment]

[Edit jobs], [Delete], [Print job ticket], [Proof], [Build and bundle],[Split],[Forward jobs], [Select], [Import / export of PDF files]

[Scheduled job manage-ment]

[Move to top], [Stop after job], [Move], [Print now]

[Waiting job manage-ment]

[Edit bundled job], [Print], [Split], [Select]

[Color adjustment] [Start printer calibration], [Calibrate media family], [G7® verifica-tion], [Manual shading correction], [Auto Correct Color Tone],[Quick AGA], [Reset curves for AGA], [Register custom media], [EditCMYK curves], [Edit spot colors], [Edit trapping presets]

[Edit scanning settings] [Type], [Size], [Resolution], [Color / black & white]

[Edit scan job settings] [Destination], [Email subject], [File ID]

[Scan job management] [Try again.]

[DocBox job manage-ment]

[Move], [Lock], [Unlock], [Build and bundle]



Define the authorization of a hotfolderOnly authorized users are allowed to use hotfolders. But you can protect a hotfolder even more.Then, you indicate that only authorized users of a selected user group are allowed to access thehotfolder.

Go to the hotfolders

Open the Settings Editor and go to: [Workflow]→[Hotfolders].

Define a hotfolder

1. Click [Configure] and check if the [Use WebDAV for hotfolders] function is ticked.2. Click [Add] or [Edit].3. Define a name and the automated workflow for the hotfolder.

4. Indicate who is allowed to access the hotfolder.• Select [All authorized users] when all authorized user accounts are allowed to access this

hotfolder.• Select [Authorized users of a specific user group] when only authorized user accounts of a

specific user group are allowed to access this hotfolder.5. Use the [User group] function to select the user group when you want to restrict the access to

a user group.6. Click [OK].

Define the authorization of a hotfolder


Chapter 3 Configure user authentication

Learn about user accountsUsers are the persons that can use the printer. A user can have one or more user accounts toidentify himself or herself. User accounts can be defined locally on the PRISMAsync controller orare available on an LDAP directory server.

The groups to which the user account belongs, determines the access rights of the user.

Please note that also other generic access settings influence what users are allowed to do. (Defineaccess to control panel on page 36)

You can create 100 local user accounts.

Types of user accounts

PRISMAsync has four types of user accounts: factory defined user accounts, local user accounts,domain user accounts, and visitors.

Type of user accounts Description

Factory defined useraccounts:[Operator], [Centraloperator], [Key opera-tor], [Maintenance op-erator], [System ad-ministrator], [Serviceoperator]

Factory defined user accounts can be member of the factory defineduser groups, but also of other local user groups. (Learn about usergroups on page 13)You cannot delete the factory defined system administrator and Serv-ice operator accounts.

Local user accounts User accounts that can be created in the Settings Editor.

Domain user accounts User accounts that are member of one or more user groups defined onthe LDAP directory server. (Learn about domains on page 23)User accounts and user group management must be done on the LDAPdirectory server.

Visitors Anonymous users who can access the control panel or the Settings Ed-itor when access without authentication is allowed.

Learn about user accounts

22 Chapter 3 - Configure user authentication

Learn about domains

About LDAP domains

When your organization works with LDAP domains PRISMAsync can use domain user groups.Then, users can use the login names and passwords they also use elsewhere in yourorganization. The domain configuration extends the user login with a connection to one or moredomains of an LDAP directory server.

LDAP (Lightweight Directory Access Protocol) is an application protocol that queries and modifiesitems on LDAP directory servers. The PRISMAsync controller can request an LDAP directoryserver to perform user authentication and to retrieve address book information for scan to email.LDAP user groups on the LDAP directory service have LDAP user accounts on the same server.You need additional software to manage the LDAP user accounts and LDAP user groups.

Users with an LDAP user accounts cannot change or recover their password on the printer.

About domain user groups

After you have configured a domain that is associated with a domain on an LDAP directoryservice, you can map one or more LDAP user groups to domain user groups.

For a new domain user group you define the user access rights in the same way as you do forlocal user groups. (Learn about PRISMAsync user access rights on page 10) The domainintegration means that user rights are updated automatically when a user logs in to the printer.

Example

In the example below the user group Office users has been added from the domain Event center.

User authentication process via LDAP

The user authentication process with a connection to an LDAP directory server is as follows:1. The user logs in with a domain selection and the specification of a username and password.

Learn about domains

Chapter 3 - Configure user authentication 23

2. PRISMAsync sets up a connection with the LDAP directory server according to the attributesof the domain configuration.

3. PRISMAsync sends the (encrypted) username of the user for verification. The password iskept on the controller.

4. The LDAP directory server verifies the user account.5. The LDAP directory server returns the verification results.6. When the user account is valid, PRISMAsync checks the access rights of the domain user

groups of the user.7. The verification results are displayed on the login panel.

Learn about domains


Add, edit, and delete domains

Go to domain settings

Go to: [Configuration]→[Domains].

Create a domain

1. Click [Add].2. Define the domain attributes. (Domain attributes on page 26)3. Click [OK].

Edit a domain

1. Select the domain.2. Click [Edit].3. Define the domain attributes. (Domain attributes on page 26)4. Click [OK].

Test the connection, user authentication, and email address retrieval of a domain

1. Select the domain.2. Click [Edit].3. Enter credentials in the [Login username] and [Login password] text boxes to test the

connection.Use a user account name. The name is automatically extended with the suffix as configuredin the domain settings. The account name is joined with the suffix using the at symbol (@).

4. Enter a search string in the [Search text for scan-to-email recipients] text box.5. Click [Start the test] that belongs to the [Execute domain test] setting.

Example domain test attributes

Domain test results

The following information is displayed when the test has been completed successfully.• [Test result of user authentication settings:] [Retrieved display name], [Number of groups user

belongs to], [Distinguished name of first found group], [Number of found domain groups],[Name of first found domain group], [Description of first found domain group], [Distinguishedname of first found domain group].

• [Test result of scan-to-email settings:] [Retrieved email addresses].



Domain attributes

Domain attribute Description

[Name] Name of domain

[Description] Description of domain

[Fully qualified do-main name]

Exact domain name to enable the connection to the LDAP directoryserver.

NOTEDepending on the LDAP directory server configuration thisname can start with a dot symbol (.) or an at symbol (@).

[Use for user authenti-cation]

Indicates if the domain is used for the user authentication of the print-er.

[Search filter for userauthentication]

Search filter to look up a user account. For example, “userPrincipal-Name=%s”. The placeholder %s represents the username the user en-ters. You can use multiple placeholders in the search filter.

[Attribute with groupsof user]

LDAP attribute with the distinguished names of the groups the usersbelong to.

[Search filter for do-main groups]

Search filter that describes the query that is used for the lookup of do-main groups. For example: (|(objectClass=group)(objectClass=groupOf-Names)).

[Attribute with nameof domain group]

LDAP attribute that contains the name of the domain group

[Attribute with de-scription of domaingroup]

LDAP attribute that contains the description of the domain group

4




[Attribute with distin-guished name of do-main group]

LDAP attribute that contains the distinguished name of the domaingroup.

[Use for scan to email] Indicates if the domain is used to look up recipients for the scan-to-email feature.

[Search filter for emailaddresses]

This search filter describes which attributes of the object are used tolook up the email addresses. Example 1: A query that searches for re-cipients that have the same telephone number as the search text: "tele-phoneNumber=%s". The placeholder %s represents the search text theuser enters. The placeholder can be used multiple times in the searchfilter. Example 2: A query that searches for recipients that have thesame telephone number as the search text or where the search text ispart of the name or the email address of the recipient: "(&(mail=*)(|(anr=%s)(telephoneNumber=%s)(displayName=*%s*)(mail=*%s*)))".The element "anr=%s" searches the attributes that are set for Ambigu-ous Name Resolution (ANR) on the LDAP directory server.

[Suffix for username] Indicates how to extend the username.• The default value is [Use fully qualified domain name].• Select [Custom] to define how to extend the username. Use the [Suf-

fix] text box to enter the string.

[LDAP server] Defines the LDAP directory server.• The default value is [Automatic detection].• Select [Select from detected servers] to display a list of found LDAP

directory servers.• Select [Custom] to enter the LDAP directory server name and port in

text boxes.

[LDAP connection] Indicates the authentication mechanism to connect to the LDAP directo-ry server.• The default value is [Anonymous].• Select [Use credentials of current user] to authenticate with the cre-

dentials of the current user.• Select [Custom] to define the login credentials: [LDAP username]

and [LDAP password]. Depending on the value of the [Suffix forusername] setting, the username is extended with the fully qualifieddomain name or username suffix.

[LDAP search base] Defines the LDAP search base.• The default value is [Automatic detection].• Select [Custom] to define the search base. Make sure you type the

correct syntax. For example: "dc=debian,dc=org".

[Attribute with user-name]

LDAP attribute with the username

[Attribute with emailaddress]

LDAP attribute with the email address

[Maximum objects toretrieve]

Defines the maximum number of objects that can be retrieved from theLDAP directory server. The default value is 11,000. 4




[LDAP server timeout(sec)]

LDAP directory server timeout period. The default value is 60 seconds.Increase the value when the data size or the network need more time toestablish a connection and to submit the data.



Add domain user groupsDomain user groups can have all available user access rights except from the access to Servicetools.

You can manage a maximum of 50 domain groups.

NOTEYou can edit and delete domain user groups in the same way as described for the local usergroups. (Create, edit, and delete local user groups on page 16)


2. Click [Add domain group].

3. Select the domain in the dialog that appears.

4. The LDAP connection settings are read from the domain configuration.

NOTEWhen you use a factory defined user account to log in and the [LDAP connection]setting is set to [Use credentials of current user], a connection cannot be made. Ifthis occurs, do the following.

1. Go to the domain settings.(Add, edit, and delete domains on page 25)2. In the [LDAP connection] function, select [Custom] to define the login credentials to

connect to the LDAP server.5. Click [OK]. A dialog appears that shows all LDAP user groups configured in the domain.6.

Select the LDAP user groups you want to map as domain user group.7. Click [OK].

Add domain user groups


8. Select the domain user group and click [Edit] to define the user access rights. (Learn aboutPRISMAsync user access rights on page 10)

Add domain user groups


Add, edit, and delete local user accounts

Go to the local user accounts

Go to: [Configuration]→[Users].

Add a new local user account

1. Click [Add].

2. Define the user account attributes. (See table below)

3. Click [OK].

Delete local user accounts

You can delete user accounts, but you cannot delete your own account.1. Select one or more user accounts.2. Click [Delete].

3. Click [OK].

Edit a user account

You can edit local user accounts.1. Select a user account.2. Click [Edit].

3. Change the attributes. (See table below)



4. Click [OK].

Test the email address of the user

The test checks the email address and the connection to the configured mail server.1. Select a user account.2. Click [Edit].

3. Click [Start the test].4. Click [OK].

User account attributes

Attribute Description

[Username] Name of user account and login name

[Description] Description of the user account or user.

[Full name] Given name and surname of the user.

[Authorize user to ac-cess hotfolders]

Indicate if this user account can access hotfolders. Only authorized useraccounts can access hotfolders. (Define access to a hotfolder onpage 43)

[Email address]

Email address that belongs to the user account. This email address isused for scan-to-email. This email address is also used for the recoveryof the password of the user. The maximum number of characters is128. (Recover password on page 63)

[Password] Password for login. You can change passwords of all user accounts, ex-cept from the password of the Service operator.

[Confirm password] Password for login.



Assign a local user account to a local user groupYou can assign a local user account to one or more local user groups.

1. Go to: [Configuration]→[Users].

2. Select the user account.3. Click [Member of].

4. Select the user groups where you want to add the user account and click the -> arrow.5. Click [OK].

NOTE

You can also add user accounts to groups with the [Members] button on the [Groups] tab.

Assign a local user account to a local user group


Enable or disable a local user accountYou can enable or disable all local user accounts. According to security guidelines in yourorganization, it can be necessary to disable user accounts of users who are not using or servicingthe printer continuously.1. Go to: [Configuration]→[Users].

2. Select a user account.3. Click [Edit].

4. Click the [User account is enabled] check box to enable or disable the user account.

5. Click [OK].

Enable or disable a local user account


Chapter 4 Configure user permissions

Define access to control panel1. Go to: [Configuration]→[Users].

2. Click [Configure user login].

3. Use the function [Access to control panel].• Select [With user authentication] to secure the control panel with user login.• Select [Without user authentication] to allow users to use the control panel without logging

in.

NOTEUsers of all factory defined user groups can access the control panel by default.

Define access to control panel

36 Chapter 4 - Configure user permissions

Define access to Settings Editor and use of USBThere are several general access security functions that are applicable to all users who want touse the printer.

Secure the Settings Editor information

1. Go to: [Configuration]→[Security]→[Passwords].

2. Use the function [Permission to view Settings Editor].• Select [Allow viewing after user authentication] to secure the Settings Editor information

with a user login.• Select [Allow viewing without user authentication] to allow users to read Settings Editor

information without logging in.

Enable the use of USB drive

With the System configuration settings on the control panel you can enable or disable the use ofthe USB port.

NOTEWhen the USB port is disabled you cannot install, upgrade, downgrade, or import software witha USB drive.

1. Go to the control panel.2. Go to: [System]→[Setup]→[System configuration]→[Security].3. Use the setting [Use of USB device].

Define access to Settings Editor and use of USB

Chapter 4 - Configure user permissions 37

Enable or disable the use of the USB port for printing

1. Go to: [Preferences]→[System settings]→[Printing workflows].

2. Use the function [Print from USB].

Enable the use of the USB port for scanning

1. Go to: [Configuration]→[Connectivity]→[Scan to file]..

2. Use the function [Scan to USB].

Enable or disable the use of the mouse to operate the control panel

1. Go to: [Preferences]→[System settings]→[Accessibility].

2. Enable or disable the use of the mouse.

Define access to Settings Editor and use of USB


Determine how personal jobs are definedThe access right [Access only personal jobs] determines if a user can only print or change jobsthat belong to him or her. (Learn about PRISMAsync user access rights on page 10)

The job owner name in the ticket can be the unique, fully qualified name, for [email protected] or can be a non-qualified name, for example user1. You can determinehow PRISMAsync distinguishes personal jobs.

IMPORTANTBe aware that the personal jobs determination based on non-qualified names cannot be reliablein organizations where usernames are not unique.



3. Click to select the [Use fully qualified username identification] check box.

4. Click [OK].

Determine how personal jobs are defined


Define use of passwordsPRISMAsync warns a user in case his or her password is a default password or is not accordingto the security guidelines of your organization.

The Settings Editor requests a user to replace the password in the following situations:1. Password is a factory-defined user account password.2. Password is defined by the system administrator and has never been changed by the user.3. Password is older than the set lifetime.4. Password is not strong enough, according to the complexity rules set for passwords.

Go the password configuration



Define the complexity rules of strong passwords

When you force the use of strong passwords, all new or changed user account passwords mustmeet the set complexity rules.

NOTEThe rules do not impact the passwords of the domain user accounts.

1. Click to select the check box [Only permit strong passwords according to rules set below:].

Define use of passwords


2. Define the minimum number of characters.3. Click to select the check box [Only permit passwords with both uppercase and lowercase

characters].4. Define the minimum number of numeric characters.5. Define the minimum number of special characters.6. Click [OK].

Define the lifetime of passwords

1. Define the lifetime of passwords in days.2. Click [OK].

Define the maximum number of password attempts

You can configure the maximum number of attempts a user can make to start a session. When auser has tried a wrong password too often, the user account is disabled. After a successful login,the counter is set to zero again.1. Click to select the [Restrict the number of password attempts] check box.2. Define the maximum number attempts in the [Maximum number of password attempts] text

box.3. Click [OK].

Define use of passwords


Define session timersPRISMAsync has three session timers: for the control panel, for Remote Manager and for theSettings Editor. The session timer of the Settings Editor is always active. You can activate sessiontimers for Remote Manager and for the control panel. You can define two session timeoutperiods: for the session timer of the control panel and for the session timer of the Settings Editorand Remote Manager.1. Go to: [Configuration]→[Users].


3. Click to select the [Activate local session timer] check box.

4. Define the session timeout period of the local session timer.5. Click to select the [Activate session timer of Remote Manager] check box.6. Define the session timeout period of the [Remote session timeout (minutes)]. This session

timeout period applies to the session timers of the Settings Editor and Remote Manager.7. Click [OK].

Define session timers


Define access to a hotfolderHotfolders can be accessed by user accounts that are authorized for the use of hotfolders. (Add,edit, and delete local user accounts on page 31) To restrict the hotfolder access to specific groupof authorized user accounts, you can link a user group to the hotfolder. Then, only authorizeduser accounts of this user group can access and use the hotfolder.1. Go to: [Workflow]→[Hotfolders].

2. Click [Add] or select a hotfolder and click [Edit].

3. Use the function [Access].

• Select [All authorized users] when all authorized user accounts are allowed to access thishotfolder.

• Select [Authorized users of a specific user group] when all authorized user accounts of aspecific user group are allowed to access this hotfolder.

4. Select the user group if you indicated that in step 3.

5. Click [OK].

Define access to a hotfolder


Define access to media settings from control panelYou can decide if operators are allowed to do media management and media optimization fromthe control panel.

1. Open the Settings Editor and go to: [Media]→[Configuration].2. Use the setting [Media management via control panel].3. Use the setting [Media optimization via control panel].

Define access to media settings from control panel


Chapter 5 Configure smart card usage

Learn about PKI smart card login

What is a PKI smart card

Public Key Infrastructure (PKI) smart cards provide a strong security method for organizationsthat want to use single sign-on (SSO) to authenticate employees. Single sign-on means that userscan use the same credentials to access connected systems within their organization. The personalidentification data are embedded on the smart card chip. Not only personal information but alsoone or more smart card certificates and the encrypted private key of the user are part of the smartcard. The public key is embedded in the smart card certificate. The smart card can be protectedwith a PIN or password which provides additional protection against unauthorized access byothers.

The smart card chip contains software to do the following:• Encrypt and decrypt data, for example, by means of keys.• Check the revocation status of certificates.• Verify the entered PIN or password.• Block the smart card, for example, after too many failed PIN or passwords entry attempts.

A smart card can store different smart card certificates and private keys, that represent differentusers.

The authorization and authentication of smart card users use the PRISMAsync domain and usergroup configuration. (Learn about smart card authentication on page 48)

The smart card usage leaves the existing PRISMAsync login method in place. So when a smartcard reader is attached, users without a smart card can also have access to the control panel.

Before users can use their smart cards to access the control panel, you need to enable the smartcard usage and smart card certificate authentication in the Settings Editor. (Configure the use ofsmart cards on page 51)

PRISMAsync supported smart card readers and cards

PRISMAsync printers support a list of smart card readers and smart cards.

Readers:

Manufacturer Reader type

Identive (previous nameSCM Microsystems Inc.)

SCR331Smart Card ReaderSCR3310 Smart Card ReaderSCR3310v2 Smart Card Reader

Gemalto IDBridge USB Smart Card Reader (previous name GemPC /Gemplus USB smart Card Reader)

HID Global Corporation Omnikey 5x2xOmnikey 3x2x

ACS ACR1281U

Cards:


Gemalto IDPrime.NET (previous name Axalto Cryptoflex .NET)IDPrime MD 4


46 Chapter 5 - Configure smart card usage


HID Global Corporation Crescendo MiniDriver (f)Crescendo C1150


Chapter 5 - Configure smart card usage 47

Learn about smart card authenticationWhen a supported smart card is inserted in a supported reader, PRISMAsync reads the card andstart the smart card certificate authentication.

A smart card can store different smart card certificates and private keys, that represent differentusers. When there is more than one smart card certificate stored on the smart card, the user firstselects the username.

The scheme below describes the smart card verification steps during login.

Log in with

smart card

Not time

validTime valid

Certificate

revoked

Certificate

not revoked

No trusted

certificate

chain

No valid

purpose

PIN denied PIN

accepted

Valid smart

card

Start User

authentication

Optional

1

2

3

5

6

4

Optional

Trusted

certificate

chain

Valid

purpose

1. PRISMAsync only accepts smart cards that are time valid.2. It depends on the PRISMAsync smart card configuration, if PRISMAsync checks the

revocation states of the smart card certificate chain. The revocation state of the rootcertificate is not checked.

3. PRISMAsync only accepts smart cards for which the entire smart card certificate chain can betrusted. (Trusted CA certificates of smart card certificate on page 49)

4. PRISMAsync only accepts smart card certificates that are issued for smart card usage.5. It depends on the PRISMAsync smart card configuration, if the entered PIN or password is

checked. When a smart card belongs to more than one user, the login panel shows a drop-down list to select the username. PRISMAsync only proceeds with the user authenticationwhen the smart card PIN or password is correct.

6. When all verification steps are successful, the user authentication process starts. (Smart cardauthorization and authentication on page 50)

Learn about smart card authentication


Trusted CA certificates of smart card certificate

A smart card certificate is issued by a Certification Authority (CA). This CA can be another(Intermediate) CA or a Root CA. The Root CA certificate is issued by the Root CA itself. The RootCA certificate is the end point of the certificate chain and establishes the point of trust. In this waythe relationship between CAs is created.

The smart card certificate can be trusted if it has been verified by trusted CA certificates.PRISMAsync stores CA certificates in the list of trusted certificates.

The certificate chain determines how the verification of certificates in the chain takes place.PRISMAsync verifies the smart card certificate chain as soon as a user logs in with a smart card.

Example:

Intermediate certificate

Root certificate

Purpose

Root CA

Public key of Root CA

Issued by Root CA

Purpose

CA

Public key of CA

1 2

Issued by Root CA

3

Expiration dates Expiration dates

Issued by CA

Purpose

Owner

Public key of owner

Expiration dates

PRISMAsync Smart card

1. PRISMAsync reads the issuer field of the smart card certificate and verifies if the issuer is inthe PRISMAsync list of trusted certificates. If the issuer is in the list, PRISMAsync uses thepublic key of the CA to verify the signature on the smart card certificate.

2. The CA certificate is issued by the Root CA. Thus, this CA certificate is an Intermediatecertificate. Now PRISMAsync verifies if the Root CA is in the list. If the root CA is in the list,PRISMAsync uses the public key of the Root CA to verify the signature on CA certificate.

3. The Root CA certificate is issued by the Root CA itself. The signature on the Root CAcertificate can be verified with the public key of the Root CA.

When all smart card CAs prove to be trusted, PRISMAsync considers the smart card certificate astrusted.

Smart card user authentication

In general, smart card users have an LDAP user account on an LDAP directory server. To supportthese user account, you configure a PRISMAsync domain and the required PRISMAsync domainuser groups. The smart card users, like the other domain users, get their access rights from theconfigured PRISMAsync domain groups. (Learn about domains on page 23, Learn about usergroups on page 13)

When a user enters his smart card, PRISMAsync reads the UPN (Universal Principal Name) on thesmart card. The UPN contains a reference to a domain so that PRISMAsync can verify if thedomain is configured on PRISMAsync. You can configure how PRISMAsync must handle useraccounts from an unknown domain.



The PRISMAsync standard and configurable behavior is explained in the scheme below.

Smart card authorization and authentication

Valid smart

card

Known

PRISMAsync

domain

No

No

Configured user

group?

Yes

Yes

No

In domain user

group?

Yes

Check access rights

1. When the smart card is valid (Learn about PKI smart card login on page 46) PRISMAsyncchecks if the smart card domain is known.

2. When the domain is known, PRISMAsync checks if the user account belongs to PRISMAsyncdomain user group.• The user is accepted when one or more PRISMAsync domain user groups are found.• The user is not accepted when no PRISMAsync domain user group is found.

3. When the domain is unknown, PRISMAsync checks your configuration.The user is accepted when you enable [Accept smart cards from all domains] and select auser group in the [Group for smart cards from unknown domains] function.

Check access rights

As seen in the scheme, all accepted smart card users belong at least one user group. This usergroup or groups determine the user access rights.



Configure the use of smart cardsThe smart card configuration consists of a series of functions and a test to check theconfiguration for a reader with an inserted smart card.

1. Configure the PRISMAsync domain or domains where the smart cards belong. (Add, edit, anddelete domains on page 25)

2. Create the domain user groups the smart card users belong to. Add domain user groups onpage 29)

3. Import the smart card CA certificates in the list of trusted certificates. (Import a certificate onpage 56)

4. Connect the reader to a free USB port at the back side of the PRISMAsync Print Servercontroller.

5. Open the Settings Editor and go to: [Configuration]→[Users].

6. Click [Configure smart cards].

7. Use the [Use smart cards for login] function to enable the usage of smart cards.8. Use the [Check smart card pin code] function to include a PIN or password verification.

When smart cards have a PIN protection, ensure you enable this function.9. Use the [Check if certificates are revoked] function to include the verification of the revocation

status.10. Use the [Accept smart cards from all domains] function to indicate that you accept smart card

users from unknown domains. (Learn about smart card authentication on page 48)Use the [Group for smart cards from unknown domains] function to specify the user group forsmart card users from unknown domain. (Create user group for smart card users withoutdomain on page 52)

11. Click [OK] or proceed with the test to check the smart card configuration. (Test the smart cardconfiguration on page 53)

Configure the use of smart cards


Create user group for smart card users without domainWhen you accept smart card users from unknown domains, you need to create a specific usergroup that defines the user rights for these smart card users. (Learn about smart cardauthentication on page 48)


2. Click [Add].3. Define the user access rights. (Learn about PRISMAsync user access rights on page 10)4. Click [OK].

Create user group for smart card users without domain


Test the smart card configurationYou can check the validity of an inserted smart card after you configured the PRISMAsync smartcard functions. (Configure the use of smart cards on page 51)

Test the smart card

With this test you check if the public key is on the smart card, if the smart card is readable, and ifthe smart card certificate chain is valid.1. Connect the reader to a free USB port at the back side of the PRISMAsync Print Server

controller.2. Open the Settings Editor and go to: [Configuration]→[Users].

3. Click [Configure smart cards].

4. In the [Test smart cards] section, click [Start the search].

5. Use the [Select smart card reader] drop-down list to select the attached reader.

The [Smart card status] field shows the status of the smart card:• [Readable]• [Unreadable]• [No smart card], in case no smart card has been inserted.

The [Smart card name] and [Smart card ATR] fields show the details of the inserted smartcard.

6. Use the [Select smart card certificate] drop-down list to select the smart card certificate.

Test the smart card configuration


7. The following fields show the retrieved information from the smart card:• [Type of smart card certificate] ([Identity certificate], [Intermediate certificate], or [Root

certificate])• [Subject alternate names in smart card certificate]• [Smart card certificate issued by]• [Smart card certificate valid from]• [Smart card certificate valid to]• [Purpose of smart card certificate]

8. The test results also show if the private key is available ([Private key is available]) and if thesmart card certificate is valid ( [Smart card certificate chain is valid]).

9. When the test reveals any problems within the chain, they are specified in the [Foundproblems in smart card certificate chain] field.

10. To examine which certificate causes the problem, you can use the [Select certificate of smartcard certificate chain] function to select an Intermediate certificate or the Root certificate.

11. Enter the PIN or password in the [PIN or password to check smart card] field.

12. Click [Start the test].The authentication process is starting.

NOTEBe aware that smart cards can be blocked after a certain number of failed PIN orpassword attempts.

13. The found username, type of user group, and the name of user group are shown.



14. When the PIN or password is valid, the test results show: [Succeeded].When the test reveals any authentication problems, they are specified.

15. Click [OK].



Import a certificatePRISMAsync uses trusted CA certificates to verify the identity of systems with which it wants toestablish secure connections. There are two types of CA certificates: Root CA certificates andIntermediate CA certificates. When the certificate chain of an Identity certificate contains not onlya Root CA certificate but also one or more Intermediate CA certificates, all CA certificates must beavailable and installed. You import the CA certificates in the list of trusted certificates.

NOTEThe identity certificate itself is not imported.

1. Go to: [Configuration]→[Trusted certificates].

2. Click [Import].

3. Browse to the .crt CA certificate file.4. Click [Import].

PRISMAsync checks if the certificate is an Intermediate CA or Root CA certificate. If thecertificate type is unknown, the certificate is not imported.

5. The CA certificate is listed.

Import a certificate


Chapter 6 Log in, log out, and changepasswords

Log in to the printer

Access without login

It depends on the function [Access to control panel] if all users are allowed to view the controlpanel settings without a login.

It depends on the function [Permission to view Settings Editor] if all users are allowed to view theSettings Editor information without a login. When you can view the Settings Editor withoutlogging in, the name Visitor is shown.

Access with login

Below you find the following instructions:1. Log in with a domain user account2. Log in with a factory defined user account3. Log in with a local user account4. Log in with a smart card.5. See your password during login

Log in with a domain user account

When there are no configured domains, you do not see the domain selection on the login panel.When at least one domain has been added, a pull-down list to select a domain is part of the loginpanel.

Your corporate username combined with the selected domain and the suffix defined for thedomain make a Universal Personal Name (UPN).

1. Select the domain from the [Domain] list.2. Enter your username and password.3. Touch or click [OK].

Log in with a factory defined user account

When you use a factory defined user account, you can select the user account from a list.


58 Chapter 6 - Log in, log out, and change passwords

1. When the domain selection is displayed, select the hostname or IP address of the printer.2. Select the factory defined user account from the list.3. Enter the password.4. Touch or click [OK].

The name of the user account is displayed.

Log in with a local user account

When you use a local user account, you need to log in with a username.

1. When the domain selection is displayed, select the hostname or IP address of the printer.2. Select [Personal username] from the list.3. Enter your username and password.4. Touch or click [OK].

After a successful login, the name of your user account is displayed.


Chapter 6 - Log in, log out, and change passwords 59

Log in with your smart card

Your organization can use smart cards to identify users of the printer. A single smart card can beused for the authentication of one or multiple user accounts.1. Insert your smart card into the reader at the control panel2. Select your username, if the smart card is configured for multiple user accounts.3. Enter your password or PIN to authenticate.4. Press [OK].

After a successful login, the name of your user account is displayed.

See your password during login

The password field where you type your password hides the characters you enter. Touch the eyesymbol in the text field to check the characters you entered.



Log out or switch rolesWhen you are finished, it is important to log out to end the session. It is also possible toauthenticate again with an other user account without leaving the application.

The session timeout period determines how long you remain logged in without using the printer.

Log out on the control panel and the Settings Editor

1. • On the control panel touch the name of your user account.

• In the Settings Editor click the name of your user account.

2. Touch or click [Log out].

Log out at control panel when using a smart card

Remove your smart card from the reader.

Log out in Remote Manager

Click [Log out].

Switch roles to change settings

When you are in the Settings Editor or on the control panel and you want to change a setting forwhich you do not have sufficient rights, you see the following message. If you have an other useraccount that is authorized for the setting, you can re-login with that user account.

Log out or switch roles


Change passwordUsers are strongly recommended to follow the security guidelines of their organization. The useof passwords is part of these security guidelines.

NOTEThis instruction does not reflect the password of a domain user account.

1. • Log in on the control panel and touch the name of your user account.

• Log in on the Settings Editor and click the name of your user account.

2. Touch or click [Change your password].3. Enter your current password.

4. Enter your new password and confirm the new password.5. Touch or click [OK].

Change password


Recover passwordIf you have lost your password, you can define a new password via a password recovery email.The email with the link to define a new password is sent to the email address associated withyour user account. Activate the link within four hours after your received the email.

IMPORTANTEnsure that your email address is part of your user account settings. Otherwise, the passwordmust be changed in the PRISMAsync user account settings. In case you do not have the rights toaccess the user settings, you need to provide your password.

NOTEThis recovery instruction does not apply to the password of a domain user account and thefactory defined system administrator account.

Recover password from control panel

1. Go the control panel.2. Enter your username and do not enter a password.3. Press [OK].

4. Touch [Forgot password?].

Recover password from Settings Editor or Remote Manager

1. Click [Recover password] on the login panel.

Recover password


2. Click [OK].

Recover password


Reset the factory defined system administrator accountWhen you reset the factory defined system administrator account, the factory defined user groupof system administrators and the factory defined system administrator account are restored. Touse this function, you need to have the [Restore factory default administrator] rights. (User accessrights of factory defined user groups on page 15)

IMPORTANTThe factory defined system administrator account and Service operator account have the[Restore factory default administrator] rights. When the factory defined system administratoraccount needs be restored, there must be at least one other user group that has the [Restorefactory default administrator] rights.

1. Go to: [Configuration]→[Security]→[Passwords].

2. Click [Restore factory-defined account values].

Reset the factory defined system administrator account


Reset the factory defined system administrator account


Canon Inc.www.canon.com

Canon U.S.A., Inc.www.usa.canon.com

Canon Canada Inc.www.canon.ca

Canon Europe Ltdwww.canon-europe.com

Canon Latin America Inc.www.cla.canon.com

Océ Australia Pty Ltd www.oce.com.au

Canon China Co., Ltdwww.canon.com.cn

Canon Singapore PTE. Ltdwww.canon.com.sg

Canon Hongkong Co., Ltdwww.canon.com.hk

© Océ 2017-2018

ContentsChapter 1 IntroductionNotes for the readerIntroduction to PRISMAsync user authorization and user authenticationAbout this guide

Chapter 2 Configure user authorizationLearn about PRISMAsync user access rightsLearn about user groupsUser access rights of factory defined user groupsCreate, edit, and delete local user groupsDefine access to job functionsDefine the authorization of a hotfolder

Chapter 3 Configure user authenticationLearn about user accountsLearn about domainsAdd, edit, and delete domainsAdd domain user groupsAdd, edit, and delete local user accountsAssign a local user account to a local user groupEnable or disable a local user account

Chapter 4 Configure user permissionsDefine access to control panelDefine access to Settings Editor and use of USBDetermine how personal jobs are definedDefine use of passwordsDefine session timersDefine access to a hotfolderDefine access to media settings from control panel

Chapter 5 Configure smart card usageLearn about PKI smart card loginLearn about smart card authenticationConfigure the use of smart cardsCreate user group for smart card users without domainTest the smart card configurationImport a certificate

Chapter 6 Log in, log out, and change passwordsLog in to the printerLog out or switch rolesChange passwordRecover passwordReset the factory defined system administrator account

PRISMAsync Administration guide - Canon Global...About this guide The PRISMAsync user authentication...

Documents

Transcript of PRISMAsync Administration guide - Canon Global...About this guide The PRISMAsync user authentication...