Multi-layer Access Control or “record level security” is complex to implement in an application that has global reporting tools. Filtering reports by User Groups and Printer Groups when users can be members of multiple Admin Rights Groups produces reports that are difficult to control. An administrator may have access to print environmental reports, but if they are restricted from administering one or more user groups, the activity of those users will not be reflected in the report if record level security is applied.
Assumption can be made to provide some level of Access Control for reports, but regardless of how we design it, the majority of use cases can not be addressed effectively.
While multi-layer access control is not currently available in PaperCut, users who require some form of access control on report data can use one of the following approaches:
Central report administration
- Remove report access from all administrators except a central staff that can configure Scheduled Email Reports for other administrators. The reports can have filters set to restrict the data to groups of printers, groups of users, departments, offices and other reporting criteria.
Multiple installations of PaperCut - If you need full reporting capability, implement completely firewalled servers (could be VPSs on a single server) with separate PaperCut primary servers. This configuration will partition the data on each server. Your license allows you to install PaperCut on multiple primary servers as long as the total number of users, devices and other options for all servers do not exceed the license parameters. If any consolidated reporting is required, an external database such as MySQL can be used to extract data from each of the server instances for reporting using db reporting tools like Crystal Reports.
PaperCut suggests option a) in most situations.
We continue to review this topic and welcome any suggestions for future development.
Keywords: ACL, ACLs, add administrators, admin rights, administrator access, admin login, admin security, allow others to administer, group